diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 2d6c513d65..6aeb77daa5 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
-ms.date: 09/25/2017
+ms.date: 10/05/2017
ms.localizationpriority: medium
---
@@ -16,6 +16,12 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
+## Octoboer 2017
+
+New or changed topic | Description |
+--- | ---
+[Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md) | Updated instructions to use Windows Team device family
+
## September 2017
New or changed topic | Description
diff --git a/devices/surface-hub/images/device-family.png b/devices/surface-hub/images/device-family.png
new file mode 100644
index 0000000000..1efe12fc57
Binary files /dev/null and b/devices/surface-hub/images/device-family.png differ
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index cf999ceac8..6a29b16f19 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub, store
author: jdeckerms
ms.author: jdecker
-ms.date: 06/19/2017
+ms.date: 10/05/2017
ms.localizationpriority: medium
---
@@ -18,8 +18,8 @@ ms.localizationpriority: medium
You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
A few things to know about apps on Surface Hub:
-- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps).
-- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
+- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub).
+- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631) or Windows Team device family.
- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps.
@@ -56,11 +56,12 @@ During app submission, developers need to set **Device family availability** and
**To set device family availability**
1. On the [Windows Dev Center](https://developer.microsoft.com), navigate to your app submission page.
2. Select **Packages**.
-3. Under Device family availability, select these options:
- - **Windows 10 Desktop** (other device families are optional)
+3. Under **Device family availability**, select these options:
+
+ - **Windows 10 Team**
- **Let Microsoft decide whether to make the app available to any future device families**
-
+
For more information, see [Device family availability](https://msdn.microsoft.com/windows/uwp/publish/upload-app-packages#device-family-availability).
@@ -126,7 +127,7 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup
|-----------------------------|----------------------------------------|
| On-premises MDM with System Center Configuration Manager (beginning in version 1602) | Yes |
| Hybrid MDM with System Center Configuration Manager and Microsoft Intune | Yes |
-| Microsoft Intune standalone | No |
+| Microsoft Intune standalone | Yes |
| Third-party MDM provider | Check to make sure your MDM provider supports deploying offline-licensed app packages. |
**To deploy apps remotely using System Center Configuration Manager (either on-prem MDM or hybrid MDM)**
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index b7993ada90..00d3409f91 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -34,7 +34,7 @@ Compatible Surface devices include:
- Surface Pro 4
-- Surface Pro3
+- Surface Pro 3
- Surface 3
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index 51de907eef..899c7aa79e 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -10,7 +10,7 @@ ms.localizationpriority: high
ms.pagetype: edu
author: CelesteDG
ms.author: celested
-ms.date: 08/29/2017
+ms.date: 10/04/2017
---
# Get started: Deploy and manage a full cloud IT solution with Microsoft Education
@@ -146,6 +146,15 @@ To learn more about the services and tools mentioned in this walkthrough, and le
- Deployment using PowerSchool Sync: How to deploy School Data Sync by using PowerSchool Sync and School Data Sync required attributes for PowerSchool Sync
- Deployment using Clever Sync: How to deploy School Data Sync by using Clever Sync and School Data Sync required attributes for Clever sync
- Deployment using OneRoster CSV files: How to deploy School Data Sync by using OneRoster CSV files
+- Azure Active Directory features used by Intune for Education, including:
+ - Single Sign-On (SSO) - Allow your Azure AD users to access SSO-enabled apps, so they don’t need to type in their credentials to access these apps.
+ - MDM auto-enrollment - Devices are automatically enrolled with Intune upon being joined with Azure AD join.
+- Enterprise state roaming - Keep school data and personal data separate on your devices.
+ - Dynamic groups - You can use dynamic groups to create rules that populate your groups (for example, a group with all 9th graders) instead of having to manually add or remove members of the groups. The group stays updated by continually staying populated with members that fit the rules you pick.
+ - Password write-back - Allows you to configure Azure AD to write passwords back to your on-premises Active Directory. It removes the need to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are.
+ - Administrative units
+ - Additional local administrators
+ - Self-service BitLocker recovery - A self-service portal that allows your employees to retrieve their BitLocker recovery key and avoid support calls.
**For teachers**
diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md
index 0b9807c98b..e92eeae78c 100644
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@@ -1,4 +1,5 @@
# [Microsoft Store for Business](index.md)
+## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## [Sign up and get started](sign-up-windows-store-for-business-overview.md)
###[Microsoft Store for Business and Microsoft Store for Education overview](windows-store-for-business-overview.md)
### [Prerequisites for Microsoft Store for Business and Education](prerequisites-windows-store-for-business.md)
diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md
index aa700ada3e..42ad5a517d 100644
--- a/store-for-business/acquire-apps-windows-store-for-business.md
+++ b/store-for-business/acquire-apps-windows-store-for-business.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
+ms.date: 10/01/2017
ms.localizationpriority: high
---
@@ -30,18 +31,17 @@ There are a couple of things we need to know when you pay for apps. You can add
- Legal business address
- Payment option (credit card)
-
## Acquire apps
**To acquire an app**
-1. Log in to http://businessstore.microsoft.com
-2. Click Shop, or use Search to find an app.
+1. Sign in to http://businessstore.microsoft.com
+2. Click **Shop**, or use Search to find an app.
3. Click the app you want to purchase.
4. On the product description page, choose your license type - either online or offline.
-5. Free apps will be added to **Inventory** or **Apps & software**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**.
-6. If you don’t have a payment method saved in **Account Information** or **Payments & billing**, we will prompt you for one.
-7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information** or **Payments & billing**.
+5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**.
+6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one.
+7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**.
-You’ll also need to have your business address saved on **Account information** or **Payments & billing**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
+You’ll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can:
- Distribute the app: add to private store, or assign licenses
@@ -51,3 +51,11 @@ Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & s
For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
+
+## Request apps
+People in your org can request additional licenses for apps that are in your organization's private store. When **Allow app requests** is turned on, people in your org can respond to a notification about app license availability. Admins for your tenant will receive an email with the request, and can decide about making the purchase.
+
+**To manage Allow app requests**
+1. Sign in to http://businessstore.microsoft.com
+2. Click **Manage**, click **Settings**, and then click **Distribute**.
+3. Under **Private store** turn on, or turn off **Allow app requests**.
diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md
index 6c598f70cc..9eebbb170e 100644
--- a/store-for-business/app-inventory-management-windows-store-for-business.md
+++ b/store-for-business/app-inventory-management-windows-store-for-business.md
@@ -84,7 +84,7 @@ Once an app is in your private store, people in your org can install the app on
3. Use **Refine results** to search for online-licensed apps under **License type**.
4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**.
-The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
+The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**
diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md
index 29e97b30bb..73c7ff9a4c 100644
--- a/store-for-business/distribute-apps-from-your-private-store.md
+++ b/store-for-business/distribute-apps-from-your-private-store.md
@@ -44,7 +44,7 @@ Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps &
-The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
+The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.
diff --git a/store-for-business/images/msfb-wn-1709-app-request.png b/store-for-business/images/msfb-wn-1709-app-request.png
new file mode 100644
index 0000000000..e454aca9a9
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-app-request.png differ
diff --git a/store-for-business/images/msfb-wn-1709-edge-ext.png b/store-for-business/images/msfb-wn-1709-edge-ext.png
new file mode 100644
index 0000000000..15170ecfc3
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-edge-ext.png differ
diff --git a/store-for-business/images/msfb-wn-1709-my-org.png b/store-for-business/images/msfb-wn-1709-my-org.png
new file mode 100644
index 0000000000..ecb47b6e8a
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-my-org.png differ
diff --git a/store-for-business/images/msfb-wn-1709-o365-csp.png b/store-for-business/images/msfb-wn-1709-o365-csp.png
new file mode 100644
index 0000000000..b51d32923a
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-csp.png differ
diff --git a/store-for-business/images/msfb-wn-1709-o365-prepaid.png b/store-for-business/images/msfb-wn-1709-o365-prepaid.png
new file mode 100644
index 0000000000..9bdb360a31
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-prepaid.png differ
diff --git a/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png
new file mode 100644
index 0000000000..de246824f5
Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png differ
diff --git a/store-for-business/images/wsfb-wsappprivatestore.png b/store-for-business/images/wsfb-wsappprivatestore.png
index 9c29e7604c..48d9f79892 100644
Binary files a/store-for-business/images/wsfb-wsappprivatestore.png and b/store-for-business/images/wsfb-wsappprivatestore.png differ
diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md
index f9592cd92e..e30487958f 100644
--- a/store-for-business/manage-settings-windows-store-for-business.md
+++ b/store-for-business/manage-settings-windows-store-for-business.md
@@ -12,7 +12,6 @@ ms.localizationpriority: high
# Manage settings for Microsoft Store for Business and Education
-
**Applies to**
- Windows 10
@@ -24,7 +23,7 @@ You can add users and groups, as well as update some of the settings associated
| Topic | Description |
| ----- | ----------- |
-| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | The **Account information** page in Microsoft Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings. |
+| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | **Billing - Account profile** in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
| [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. |
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
new file mode 100644
index 0000000000..869d8d89db
--- /dev/null
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -0,0 +1,22 @@
+---
+title: Whats new in Microsoft Store for Business and Education
+description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.date: 09/21/2017
+---
+
+# Microsoft Store for Business and Education release history
+
+Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases.
+
+Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
+
+## August 2017
+These items were released or updated in August, 2017.
+
+- **Pellentesque habitant morbi tristique** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)
+- **Aenean nec lorem** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)
\ No newline at end of file
diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-windows-store-for-business.md
index 09fbf09a41..6d5922b831 100644
--- a/store-for-business/settings-reference-windows-store-for-business.md
+++ b/store-for-business/settings-reference-windows-store-for-business.md
@@ -22,13 +22,15 @@ The Microsoft Store for Business and Education has a group of settings that admi
| Setting | Description | Location under **Manage** |
| ------- | ----------- | ------------------------------ |
-| Account information and payment options | Manage organization and payment option information. For more information, see [Manage settings for the Microsoft Store for Business and Education](manage-settings-windows-store-for-business.md).| **Payments & billing** |
-| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Store settings** |
-| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Store settings** (Private store tab) |
-| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Store settings** |
-| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Store settings** |
-| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions** |
-| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions** |
+| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md).| **Billing - Account profile** |
+| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
+| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
+| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
+| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-windows-store-for-business.md). | **Settings - Distribute** |
+| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Settings - Distribute** |
+| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** |
+| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
+| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |
diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md
index f88eec0840..951212afbd 100644
--- a/store-for-business/update-windows-store-for-business-account-settings.md
+++ b/store-for-business/update-windows-store-for-business-account-settings.md
@@ -32,7 +32,7 @@ We need an email address in case we need to contact you about your Microsoft Sto
**To update Organization information**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, click **Payments & billing**, and then click **Edit**.
+2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**.
## Organization tax information
Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
@@ -87,7 +87,7 @@ If you qualify for tax-exempt status in your market, start a service request to
**To start a service request**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
-2. Click **Support**, and then under **Store or account support** click **Start a service request**.
+2. Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**.
You’ll need this documentation:
@@ -124,8 +124,8 @@ You can purchase apps from Microsoft Store for Business using your credit card.
**To add a new payment option**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, and then click **Payments & billing**.
-3. Under **Payment options**, click **Show my payment options**, and then select the type of credit card that you want to add.
+2. Click **Manage**, click **Billing**, and then click **Payments methods**.
+3. Click **Add a payment options**, and then select the type of credit card that you want to add.
4. Add information to any required fields, and then click **Next**.
Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
@@ -136,10 +136,10 @@ Once you click Next, the information you provided will be validated with a tes
**To update a payment option**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, and then click **Payments & billng**.
-3. Under **Payment options** > **Show my payment options**, select the payment option that you want to update, and then click **Update**.
+2. Click **Manage**, click **Billing**, and then click **Payments methods**.
+3. Select the payment option that you want to update, and then click **Update**.
4. Enter any updated information in the appropriate fields, and then click **Next**.
-Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise,you will be prompted for additional information or notified if there are any problems.
+Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
> [!NOTE]
> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
@@ -153,8 +153,8 @@ Admins can decide whether or not offline licenses are shown for apps in Microsof
**To set offline license visibility**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**, and then click **Payments & billing**.
-3. Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses.
+2. Click **Manage**, and then click **Settings - Shop**.
+3. Under **Shopping experience** turn on or turn off **Show offline apps**,to show availability for offline-licensed apps.
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
new file mode 100644
index 0000000000..573f0a34c6
--- /dev/null
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -0,0 +1,35 @@
+---
+title: Whats new in Microsoft Store for Business and Education
+description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: store
+author: TrudyHa
+ms.date: 10/04/2017
+---
+
+# What's new in Microsoft Store for Business and Education
+
+Microsoft Store for Business and Education regularly releases new and improved feaures. Take a look below to see what's available to you today.
+
+## Latest updates for Store for Business and Education
+
+| | |
+|-----------------------|---------------------------------|
+| | **Manage Windows device deployment with Windows AutoPilot Deployment**
In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device.
[Get more info](add-profile-to-devices.md)
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Request an app**
People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.
[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#request-apps)
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**My organization**
**My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Manage prepaid Office 365 subscriptions**
Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Manage Office 365 subscriptions acquired by partners**
Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Edge extensions in Microsoft Store**
Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+|  |**Search results in Microsoft Store for Business**
Search results now have sub categories to help you refine search results.
**Applies to**: Microsoft Store for Business Microsoft Store for Education |
+
+
\ No newline at end of file
diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 51d3af12b8..084999e656 100644
--- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -25,7 +25,7 @@ ms.date: 09/08/2017
>[!IMPORTANT]
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory.
+In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md
index 59a9bb791e..68f001e2f3 100644
--- a/windows/access-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/access-protection/hello-for-business/hello-identity-verification.md
@@ -71,6 +71,23 @@ The table shows the minimum requirements for each deployment.
## Frequently Asked Questions
+### What is the user experience for Windows Hello for Business?
+The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
+
+> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM]
+
+
+
+> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso]
+
+### What happens when my user forgets their PIN?
+
+If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
+
+> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI]
+
+For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
+
### Do I need Windows Server 2016 domain controllers?
There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index 238dc36fc2..48e61b947d 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -59,5 +59,6 @@ The Universal Windows Platform ensures that consumers will have great battery li
## See also
-[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
+- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly)
+- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
[Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity)
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 2d1385d654..6b56d24b8f 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -25,7 +25,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
## Set up
-- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
+- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 947ffa3bac..623210a376 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -2,6 +2,7 @@
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
+### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 2e6580c656..bd4a538872 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/19/2017
+ms.date: 10/03/2017
---
# AssignedAccess CSP
@@ -19,16 +19,17 @@ The AssignedAccess configuration service provider (CSP) is used set the device t
For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
-> **Note** The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro.
+> [!Note]
+> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
The following diagram shows the AssignedAccess configuration service provider in tree format
-**./Vendor/MSFT/AssignedAccess**
+**./Device/Vendor/MSFT/AssignedAccess**
Root node for the CSP.
-**AssignedAccess/KioskModeApp**
+**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
@@ -49,7 +50,7 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
-**AssignedAccess/Configuration**
+**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Enterprises can use this to easily configure and manage the curated lockdown experience.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index ff8c33aa7e..fd5460395b 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2537,6 +2537,7 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
- [ActiveSync CSP](activesync-csp.md)
- [APPLICATION CSP](application-csp.md)
- [AppLocker CSP](applocker-csp.md)
+- [AssignedAccess CSP](assignedaccess-csp.md)
- [BOOTSTRAP CSP](bootstrap-csp.md)
- [CellularSettings CSP](cellularsettings-csp.md)
- [CertificateStore CSP](certificatestore-csp.md)
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
new file mode 100644
index 0000000000..268ff5b5ee
--- /dev/null
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -0,0 +1,121 @@
+---
+title: Enroll a Windows 10 device automatically using Group Policy
+description: Enroll a Windows 10 device automatically using Group Policy
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 10/02/2017
+---
+
+# Enroll a Windows 10 device automatically using Group Policy
+
+Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices.
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured
+- Enterprise AD must be registered with Azure AD
+
+> [!Tip]
+> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
+
+To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
+
+Here is a partial screenshot of the result:
+
+
+
+The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
+
+> [!Note]
+> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.
+
+When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+
+In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence.
+
+For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
+
+## Configure the auto-enrollment Group Policy for a single PC
+
+This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured
+- Enterprise AD must be registered with Azure AD
+
+1. Run GPEdit.msc
+
+ Click Start, then in the text box type gpedit.
+
+ 
+
+2. Under **Best match**, click **Edit group policy** to launch it.
+
+3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
+
+ 
+
+4. Double-click **Auto MDM Enrollment with AAD Token**.
+
+ 
+
+5. Click **Enable**, then click **OK**.
+
+ A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
+
+ To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+
+ If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
+
+ 
+
+6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
+
+7. Click **Info** to see the MDM enrollment information.
+
+ 
+
+ If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
+
+
+### Task Scheduler app
+
+1. Click **Start**, then in the text box type **task scheduler**.
+
+ 
+
+2. Under **Best match**, click **Task Scheduler** to launch it.
+
+3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
+
+ 
+
+ To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
+
+ If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
+
+## Configure the auto-enrollment for a group of devices
+
+Requirements:
+- AD-joined PC running Windows 10, version 1709
+- Enterprise has MDM service already configured (with Intune or a third party service provider)
+- Enterprise AD must be integrated with Azure AD.
+- Ensure that PCs belong to same computer group.
+
+1. Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**.
+2. Create a Security Group for the PCs.
+3. Link the GPO.
+4. Filter using Security Groups.
+5. Enforce a GPO link
+
+### Related topics
+
+- [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
+- [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx)
+- [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx)
+- [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx)
+- [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx)
diff --git a/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png
new file mode 100644
index 0000000000..ba16fbcd27
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-device-status.png b/windows/client-management/mdm/images/autoenrollment-device-status.png
new file mode 100644
index 0000000000..67072b0da7
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-device-status.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-gpedit.png b/windows/client-management/mdm/images/autoenrollment-gpedit.png
new file mode 100644
index 0000000000..e863dfc945
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-gpedit.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-mdm-policies.png b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png
new file mode 100644
index 0000000000..29cb6d14da
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-policy.png b/windows/client-management/mdm/images/autoenrollment-policy.png
new file mode 100644
index 0000000000..f9bb009514
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-policy.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-scheduled-task.png b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png
new file mode 100644
index 0000000000..bfa805bfbd
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-settings-work-school.png b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png
new file mode 100644
index 0000000000..31fb7a400a
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png differ
diff --git a/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png
new file mode 100644
index 0000000000..56f071dcda
Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png
index df8aa48b95..c8db9ee059 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png
new file mode 100644
index 0000000000..c75d6ca38f
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png
new file mode 100644
index 0000000000..bf44fb2d97
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png
new file mode 100644
index 0000000000..66c6b0ee19
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png
new file mode 100644
index 0000000000..cd28d561d8
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png
new file mode 100644
index 0000000000..48025064e0
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png
new file mode 100644
index 0000000000..8fbb961540
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png
new file mode 100644
index 0000000000..a3e3fe20d2
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png
new file mode 100644
index 0000000000..304bf8aa0b
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png differ
diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png
new file mode 100644
index 0000000000..5ed04fb4a2
Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png differ
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index af2ac59df8..2066c8391f 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 06/19/2017
+ms.date: 09/19/2017
---
# MDM enrollment of Windows-based devices
@@ -178,35 +178,33 @@ All Windows 10-based devices can be connected to a work or school account. You
### Using the Settings app
-1. Launch the Settings app.
+1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts**
- 
+ 
-2. Next, navigate to **Accounts**.
+2. Navigate to **Access work or school**.
- 
+ 
-3. Navigate to **Access work or school**.
+3. Click **Connect**.
- 
+ 
-4. Click **Connect**.
+4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
- 
+ 
-5. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
-
- 
-
-6. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
+5. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM.
+ Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
+
-7. After you complete the flow, your Microsoft account will be connected to your work or school account.
+6. After you complete the flow, your Microsoft account will be connected to your work or school account.
@@ -238,11 +236,12 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
- Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
+ Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
+
+ 
After you complete the flow, your device will be connected to your organization’s MDM.
-
- 
+
### Connecting to MDM on a phone (Enrolling in device management)
@@ -343,16 +342,7 @@ The following procedure describes how users can connect their devices to MDM usi
Your work or school connections can be managed on the **Settings** > **Accounts** > **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection.
-
-
-### Manage
-
-The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios:
-
-- Connecting your device to an Azure AD domain
-- Connecting to a work or school account.
-
-Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser.
+
### Info
@@ -364,7 +354,12 @@ The **Info** button can be found on work or school connections involving MDM. Th
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
-
+Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot.
+
+
+
+> [!Note]
+> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
### Disconnect
@@ -375,16 +370,14 @@ The **Disconnect** button can be found on all work connections. Generally, click
> **Warning** Disconnecting might result in the loss of data on the device.
-
-
-
-
## Collecting diagnostic logs
You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files.
-
+Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot.
+
+
@@ -392,4 +385,3 @@ You can collect diagnostic logs around your work connections by going to **Setti
-
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 239445ade8..e9c457174a 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/19/2017
+ms.date: 10/02/2017
---
# What's new in MDM enrollment and management
@@ -1000,8 +1000,21 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Added new policies.
-
Microsoft Store for Business
-
Windows Store for Business name changed to Microsoft Store for Business.
+
Microsoft Store for Business and Microsoft Store
+
Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
+
+
[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
+
New features in the Settings app:
+
+
User sees installation progress of critical policies during MDM enrollment.
+
User knows what policies, profiles, apps MDM has configured
+
IT helpdesk can get detailed MDM diagnostic information using client tools
+
+
For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)
+
+
+
[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
+
Added new topic to introduce a new Group Policy for automatic MDM enrollment.
@@ -1384,8 +1397,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
-
Microsoft Store for Business
-
Windows Store for Business name changed to Microsoft Store for Business.
+
Microsoft Store for Business and Microsoft Store
+
Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)
@@ -1401,9 +1414,24 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[EntepriseAPN CSP](enterpriseapn-csp.md)
Added a SyncML example.
+
[VPNv2 CSP](vpnv2-csp.md)
Added RegisterDNS setting in Windows 10, version 1709.
+
+
[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
+
Added new topic to introduce a new Group Policy for automatic MDM enrollment.
+
+
+
[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
+
New features in the Settings app:
+
+
User sees installation progress of critical policies during MDM enrollment.
+
User knows what policies, profiles, apps MDM has configured
+
IT helpdesk can get detailed MDM diagnostic information using client tools
+
+
For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 121d77fdb7..f0b176f45a 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/25/2017
+ms.date: 09/29/2017
---
# Policy CSP
@@ -22,6 +22,26 @@ The Policy configuration service provider has the following sub-categories:
- Policy/Config/*AreaName* – Handles the policy configuration request from the server.
- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device.
+
+
+> [!Important]
+> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.
+>
+> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths:
+>
+> User scope:
+> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
+> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
+>
+> Device scope:
+> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
+> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
+>
+> For device wide configuration the **_Device/_** portion may be omitted from the path, deeming the following paths respectively equivalent:
+>
+> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
+> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
+
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index 2268695665..64f921aac1 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - AboveLock
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## AboveLock policies
+
+
+**AboveLock/AllowActionCenterNotifications**
@@ -45,6 +58,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -60,6 +82,7 @@ ms.date: 08/30/2017
+**AboveLock/AllowCortanaAboveLock**
@@ -86,6 +109,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
@@ -96,6 +128,7 @@ ms.date: 08/30/2017
+
Specifies whether to allow toast notifications above the device lock screen.
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index f2e678427b..cbec351d99 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Accounts
@@ -14,11 +14,27 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
@@ -98,6 +133,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
@@ -134,6 +179,7 @@ ms.date: 08/30/2017
+
Specifies a list of the domains that are allowed to sync email on the device.
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 755aeb5a2e..d01ca2a458 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - ActiveXControls
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**ActiveXControls/ApprovedInstallationSites**
@@ -45,6 +52,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 838ad9fbc8..4e71e25975 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - ApplicationDefaults
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## ApplicationDefaults policies
+
Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index bb72e071a6..7690c7eb20 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - ApplicationManagement
@@ -14,11 +14,48 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Specifies whether app store is allowed at the device.
@@ -252,6 +348,7 @@ ms.date: 08/30/2017
+
**ApplicationManagement/ApplicationRestrictions**
@@ -278,6 +375,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@@ -305,6 +411,7 @@ ms.date: 08/30/2017
+**ApplicationManagement/DisableStoreOriginatedApps**
@@ -331,6 +438,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
@@ -341,6 +457,7 @@ ms.date: 08/30/2017
+
Specifies whether the installation of applications is restricted to the system drive.
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index e44fda0b34..512cbecf60 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - AppVirtualization
@@ -14,11 +14,99 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**AttachmentManager/DoNotPreserveZoneInformation**
@@ -45,6 +58,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
@@ -71,6 +93,7 @@ ADMX Info:
+**AttachmentManager/HideZoneInfoMechanism**
@@ -97,6 +120,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
@@ -123,6 +155,7 @@ ADMX Info:
+**AttachmentManager/NotifyAntivirusPrograms**
@@ -149,6 +182,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 3c483fb097..d33bbd648c 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/06/2017
+ms.date: 09/29/2017
---
# Policy CSP - Authentication
@@ -14,11 +14,27 @@ ms.date: 09/06/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Authentication policies
+
Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.
@@ -55,6 +80,7 @@ ms.date: 09/06/2017
+
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index daac26b55d..f63666cdc6 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Autoplay
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Specifies the BitLocker Drive Encryption method and cipher strength.
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 7bd2ea4992..d874f9ffa2 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Bluetooth
@@ -14,11 +14,30 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
@@ -135,6 +183,7 @@ ms.date: 08/30/2017
+
Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 82c992e8eb..2c7f399858 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Browser
@@ -14,11 +14,123 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.
@@ -60,6 +182,7 @@ ms.date: 08/30/2017
+
Specifies whether autofill on websites is allowed.
@@ -105,6 +238,7 @@ ms.date: 08/30/2017
+
**Browser/AllowBrowser**
@@ -131,6 +265,16 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@@ -149,6 +293,7 @@ ms.date: 08/30/2017
+**Browser/AllowCookies**
@@ -175,6 +320,16 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether cookies are allowed.
@@ -194,6 +349,7 @@ ms.date: 08/30/2017
+
**Browser/AllowDeveloperTools**
@@ -220,6 +376,16 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -236,6 +402,7 @@ ms.date: 08/30/2017
+**Browser/AllowDoNotTrack**
@@ -262,6 +429,16 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether Do Not Track headers are allowed.
@@ -281,6 +458,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
@@ -389,6 +599,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
@@ -468,6 +700,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/AllowPasswordManager**
@@ -494,6 +727,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether saving and managing passwords locally on the device is allowed.
@@ -513,6 +756,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/AllowPopups**
@@ -539,6 +783,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether pop-up blocker is allowed or enabled.
@@ -558,6 +812,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/AllowSearchEngineCustomization**
@@ -584,6 +839,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.
@@ -598,6 +863,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/AllowSearchSuggestionsinAddressBar**
@@ -624,6 +890,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether search suggestions are allowed in the address bar.
@@ -636,6 +912,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/AllowSmartScreen**
@@ -662,6 +939,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether Windows Defender SmartScreen is allowed.
@@ -681,9 +968,20 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/AlwaysEnableBooksLibrary**
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
@@ -691,6 +989,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/ClearBrowsingDataOnExit**
@@ -717,6 +1016,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
@@ -735,6 +1044,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
**Browser/ConfigureAdditionalSearchEngines**
@@ -761,6 +1071,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.
@@ -781,6 +1101,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/DisableLockdownOfStartPages**
@@ -807,6 +1128,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.
@@ -825,6 +1156,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/EnterpriseModeSiteList**
@@ -851,6 +1183,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -865,6 +1207,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+**Browser/EnterpriseSiteListServiceUrl**
@@ -891,12 +1234,23 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!IMPORTANT]
> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
+**Browser/FirstRunURL**
@@ -923,6 +1277,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -936,6 +1300,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+**Browser/HomePages**
@@ -962,6 +1327,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -977,6 +1352,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+**Browser/LockdownFavorites**
@@ -1003,6 +1379,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
@@ -1022,6 +1408,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
@@ -1048,6 +1435,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
@@ -1058,6 +1455,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/PreventFirstRunPage**
@@ -1084,6 +1482,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
@@ -1096,6 +1504,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/PreventLiveTileDataCollection**
@@ -1122,6 +1531,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
@@ -1134,6 +1553,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/PreventSmartScreenPromptOverride**
@@ -1160,6 +1580,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
@@ -1172,6 +1602,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/PreventSmartScreenPromptOverrideForFiles**
@@ -1198,6 +1629,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
@@ -1208,6 +1649,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/PreventUsingLocalHostIPAddressForWebRTC**
@@ -1234,6 +1676,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -1248,6 +1700,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+**Browser/ProvisionFavorites**
@@ -1274,6 +1727,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
@@ -1292,6 +1755,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/SendIntranetTraffictoInternetExplorer**
@@ -1318,6 +1782,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -1334,6 +1808,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+**Browser/SetDefaultSearchEngine**
@@ -1360,6 +1835,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
@@ -1379,6 +1864,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+
**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
@@ -1405,6 +1891,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -1421,6 +1917,7 @@ Employees cannot remove these search engines, but they can set any one as the de
+**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
@@ -1447,6 +1944,16 @@ Employees cannot remove these search engines, but they can set any one as the de
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index ca7b98ecc5..ce33fa4faa 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Camera
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Disables or enables the camera.
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index b1c206e118..183748ec41 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Cellular
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
@@ -148,6 +220,7 @@ ms.date: 08/30/2017
+
**Connectivity/AllowConnectedDevices**
@@ -174,6 +247,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -187,6 +269,7 @@ ms.date: 08/30/2017
+**Connectivity/AllowNFC**
@@ -213,6 +296,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -229,6 +321,7 @@ ms.date: 08/30/2017
+**Connectivity/AllowUSBConnection**
@@ -255,6 +348,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -273,6 +375,7 @@ ms.date: 08/30/2017
+**Connectivity/AllowVPNOverCellular**
@@ -299,6 +402,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies what type of underlying connections VPN is allowed to use.
@@ -311,6 +423,7 @@ ms.date: 08/30/2017
+
+
+**CredentialProviders/AllowPINLogon**
@@ -45,6 +58,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
@@ -73,6 +95,7 @@ ADMX Info:
+**CredentialProviders/BlockPicturePassword**
@@ -99,6 +122,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting allows you to control whether a domain user can sign in using a picture password.
@@ -125,6 +157,7 @@ ADMX Info:
+**CredentialProviders/DisableAutomaticReDeploymentCredentials**
@@ -151,6 +184,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index 15d68cf69e..1b7955f4e5 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - CredentialsUI
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## CredentialsUI policies
+
+
+**CredentialsUI/DisablePasswordReveal**
@@ -45,6 +55,16 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
@@ -73,6 +93,7 @@ ADMX Info:
+**CredentialsUI/EnumerateAdministrators**
@@ -99,6 +120,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index eef7cdeba4..9c5f328c19 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Cryptography
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Cryptography policies
+
Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index edba750722..1261f2c311 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - DataProtection
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
@@ -57,6 +76,7 @@ ms.date: 08/30/2017
+
**DataProtection/LegacySelectiveWipeID**
@@ -83,6 +103,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index a8724cc2f6..540a7d26a6 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - DataUsage
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## DataUsage policies
+
+
+**DataUsage/SetCost3G**
@@ -45,6 +55,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting configures the cost of 3G connections on the local machine.
@@ -75,6 +94,7 @@ ADMX Info:
+**DataUsage/SetCost4G**
@@ -101,6 +121,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting configures the cost of 4G connections on the local machine.
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 3f35e2d4eb..9d75a9f6fa 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Defender
@@ -14,11 +14,120 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Defender policies
+
+
+**DeliveryOptimization/DOAbsoluteMaxCacheSize**
@@ -45,6 +97,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -56,6 +117,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOAllowVPNPeerCaching**
@@ -82,6 +144,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -93,6 +164,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DODownloadMode**
@@ -119,6 +191,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -137,6 +218,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOGroupId**
@@ -163,6 +245,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -175,6 +266,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMaxCacheAge**
@@ -201,6 +293,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -212,6 +313,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMaxCacheSize**
@@ -238,6 +340,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -249,6 +360,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMaxDownloadBandwidth**
@@ -275,6 +387,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -286,6 +407,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMaxUploadBandwidth**
@@ -312,6 +434,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -323,6 +454,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMinBackgroundQos**
@@ -349,6 +481,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -360,6 +501,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
@@ -386,6 +528,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -396,6 +547,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
@@ -422,6 +574,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -436,6 +597,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMinFileSizeToCache**
@@ -462,6 +624,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -473,6 +644,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMinRAMAllowedToPeer**
@@ -499,6 +671,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -510,6 +691,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOModifyCacheDrive**
@@ -536,6 +718,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -547,6 +738,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOMonthlyUploadDataCap**
@@ -573,6 +765,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@@ -586,6 +787,7 @@ ms.date: 08/30/2017
+**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
@@ -612,6 +814,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index 8a3b89d0f5..8d89bebfb5 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Desktop
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Desktop policies
+
+
+**Desktop/PreventUserRedirectionOfProfileFolders**
@@ -45,6 +52,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
Prevents users from changing the path to their profile folders.
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index df77a218e7..b45125a146 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - DeviceGuard
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## DeviceGuard policies
+
Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values:
@@ -55,6 +77,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values:
@@ -93,6 +125,7 @@ ms.date: 08/30/2017
+
**DeviceGuard/RequirePlatformSecurityFeatures**
@@ -119,6 +152,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 4b04c4567d..c57bc0a0a1 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - DeviceInstallation
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## DeviceInstallation policies
+
+
+**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
@@ -45,6 +55,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
@@ -69,6 +88,7 @@ ADMX Info:
+**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
@@ -95,6 +115,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index dcfc34f488..4767db8c6f 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - DeviceLock
@@ -14,11 +14,63 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## DeviceLock policies
+
+
+**DeviceLock/AllowIdleReturnWithoutPassword**
@@ -45,6 +97,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -63,6 +124,7 @@ ms.date: 08/30/2017
+**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
@@ -89,6 +151,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -110,6 +181,7 @@ ms.date: 08/30/2017
+**DeviceLock/AllowSimpleDevicePassword**
@@ -136,6 +208,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
@@ -152,6 +233,7 @@ ms.date: 08/30/2017
+
Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
@@ -202,6 +293,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
@@ -405,6 +536,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
@@ -442,6 +583,7 @@ ms.date: 08/30/2017
+
**DeviceLock/MaxDevicePasswordFailedAttempts**
@@ -468,6 +610,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
@@ -493,6 +644,7 @@ The number of authentication failures allowed before the device will be wiped. A
+**DeviceLock/MaxInactivityTimeDeviceLock**
@@ -519,6 +671,15 @@ The number of authentication failures allowed before the device will be wiped. A
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
@@ -535,6 +696,7 @@ The number of authentication failures allowed before the device will be wiped. A
+
**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**
@@ -561,6 +723,15 @@ The number of authentication failures allowed before the device will be wiped. A
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
@@ -575,6 +746,7 @@ The number of authentication failures allowed before the device will be wiped. A
+
**DeviceLock/MinDevicePasswordComplexCharacters**
@@ -601,6 +773,15 @@ The number of authentication failures allowed before the device will be wiped. A
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
@@ -677,6 +858,7 @@ The number of authentication failures allowed before the device will be wiped. A
+
**DeviceLock/MinDevicePasswordLength**
@@ -703,6 +885,15 @@ The number of authentication failures allowed before the device will be wiped. A
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies the minimum number or characters required in the PIN or password.
@@ -724,6 +915,7 @@ The number of authentication failures allowed before the device will be wiped. A
+
**DeviceLock/PreventLockScreenSlideShow**
@@ -750,6 +942,15 @@ The number of authentication failures allowed before the device will be wiped. A
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
@@ -774,6 +975,7 @@ ADMX Info:
+**DeviceLock/ScreenTimeoutWhileLocked**
@@ -800,6 +1002,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 7af8189ba0..43c616c9a7 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Display
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Display policies
+
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 6be666c341..dcb33c8647 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Education
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**Education/DefaultPrinterName**
@@ -45,6 +58,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer.
@@ -52,6 +74,7 @@ The policy value is expected to be the name (network host name) of an installed
+**Education/PreventAddingNewPrinters**
@@ -78,6 +101,15 @@ The policy value is expected to be the name (network host name) of an installed
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
@@ -88,6 +120,7 @@ The following list shows the supported values:
+**Education/PrinterNames**
@@ -114,6 +147,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index c11c6d066d..6f3068b82d 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - EnterpriseCloudPrint
@@ -14,11 +14,33 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## EnterpriseCloudPrint policies
+
Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
@@ -54,6 +85,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
@@ -89,6 +130,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
@@ -124,6 +175,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
@@ -159,6 +220,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
@@ -194,6 +265,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 98c03c6579..c86f76ed58 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - ErrorReporting
@@ -14,11 +14,30 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**ErrorReporting/CustomizeConsentSettings**
@@ -45,6 +64,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
@@ -79,6 +107,7 @@ ADMX Info:
+**ErrorReporting/DisableWindowsErrorReporting**
@@ -105,6 +134,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
@@ -129,6 +167,7 @@ ADMX Info:
+**ErrorReporting/DisplayErrorNotification**
@@ -155,6 +194,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls whether users are shown an error dialog box that lets them report an error.
@@ -183,6 +231,7 @@ ADMX Info:
+**ErrorReporting/DoNotSendAdditionalData**
@@ -209,6 +258,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
@@ -233,6 +291,7 @@ ADMX Info:
+**ErrorReporting/PreventCriticalErrorDisplay**
@@ -259,6 +318,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting prevents the display of the user interface for critical errors.
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index a73f5c2b18..60434439fa 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - EventLogService
@@ -14,11 +14,27 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## EventLogService policies
+
+
+**Experience/AllowCopyPaste**
@@ -45,6 +106,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -60,6 +130,7 @@ ms.date: 08/30/2017
+**Experience/AllowCortana**
@@ -86,6 +157,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
@@ -106,6 +186,7 @@ ms.date: 08/30/2017
+
Specifies whether to allow the user to delete the workplace account using the workplace control panel.
@@ -228,6 +338,7 @@ ms.date: 08/30/2017
+
**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
@@ -254,6 +365,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -268,6 +388,7 @@ ms.date: 08/30/2017
+**Experience/AllowScreenCapture**
@@ -294,6 +415,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -310,6 +440,7 @@ ms.date: 08/30/2017
+**Experience/AllowSyncMySettings**
@@ -336,6 +467,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
@@ -346,6 +486,7 @@ ms.date: 08/30/2017
+
**Experience/AllowTailoredExperiencesWithDiagnosticData**
@@ -372,6 +513,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -391,6 +541,7 @@ ms.date: 08/30/2017
+**Experience/AllowTaskSwitcher**
@@ -417,6 +568,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -431,6 +591,7 @@ ms.date: 08/30/2017
+**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
@@ -457,6 +618,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
@@ -471,6 +641,7 @@ ms.date: 08/30/2017
+**Experience/AllowVoiceRecording**
@@ -497,6 +668,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -513,6 +693,7 @@ ms.date: 08/30/2017
+**Experience/AllowWindowsConsumerFeatures**
@@ -539,6 +720,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -562,6 +752,7 @@ ms.date: 08/30/2017
+**Experience/AllowWindowsSpotlight**
@@ -588,6 +779,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@@ -604,6 +804,7 @@ ms.date: 08/30/2017
+**Experience/AllowWindowsSpotlightOnActionCenter**
@@ -630,6 +831,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -645,6 +855,7 @@ ms.date: 08/30/2017
+**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
@@ -671,6 +882,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -687,6 +907,7 @@ The Windows welcome experience feature introduces onboard users to Windows; for
+**Experience/AllowWindowsTips**
@@ -713,6 +934,15 @@ The Windows welcome experience feature introduces onboard users to Windows; for
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Enables or disables Windows Tips / soft landing.
@@ -723,6 +953,7 @@ Enables or disables Windows Tips / soft landing.
+**Experience/ConfigureWindowsSpotlightOnLockScreen**
@@ -749,6 +980,15 @@ Enables or disables Windows Tips / soft landing.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@@ -764,6 +1004,7 @@ Enables or disables Windows Tips / soft landing.
+**Experience/DoNotShowFeedbackNotifications**
@@ -790,6 +1031,15 @@ Enables or disables Windows Tips / soft landing.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Prevents devices from showing feedback questions from Microsoft.
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 292dfa31bc..f408206e83 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - ExploitGuard
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index f6fc32cc9f..868f23aa8e 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/31/2017
+ms.date: 09/29/2017
---
# Policy CSP - Games
@@ -14,11 +14,18 @@ ms.date: 08/31/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
@@ -52,6 +68,7 @@ ms.date: 08/31/2017
- 1 (default) - Allowed
This policy can only be turned off in Windows 10 Education and Enterprise editions.
+
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index b2cdcd1ae0..e00909e922 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/07/2017
+ms.date: 09/29/2017
---
# Policy CSP - Handwriting
@@ -14,11 +14,18 @@ ms.date: 09/07/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-## Handwriting policies
+
+## Handwriting policies
+
Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
@@ -69,4 +85,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
-
\ No newline at end of file
+
+
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 7be92bcfc1..1a97e52c6c 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - InternetExplorer
@@ -14,11 +14,771 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**InternetExplorer/AddSearchProvider**
@@ -45,6 +805,16 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.
@@ -69,6 +839,7 @@ ADMX Info:
+**InternetExplorer/AllowActiveXFiltering**
@@ -95,6 +866,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.
@@ -119,6 +900,7 @@ ADMX Info:
+**InternetExplorer/AllowAddOnList**
@@ -145,6 +927,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.
@@ -175,6 +967,7 @@ ADMX Info:
+**InternetExplorer/AllowAutoComplete**
@@ -201,6 +994,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
> [!TIP]
@@ -219,6 +1021,7 @@ ADMX Info:
+**InternetExplorer/AllowCertificateAddressMismatchWarning**
@@ -245,6 +1048,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -263,6 +1076,7 @@ ADMX Info:
+**InternetExplorer/AllowDeletingBrowsingHistoryOnExit**
@@ -289,6 +1103,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -307,6 +1131,7 @@ ADMX Info:
+**InternetExplorer/AllowEnhancedProtectedMode**
@@ -333,6 +1158,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.
@@ -359,6 +1194,7 @@ ADMX Info:
+**InternetExplorer/AllowEnterpriseModeFromToolsMenu**
@@ -385,6 +1221,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.
@@ -409,6 +1255,7 @@ ADMX Info:
+**InternetExplorer/AllowEnterpriseModeSiteList**
@@ -435,6 +1282,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.
@@ -459,6 +1316,7 @@ ADMX Info:
+**InternetExplorer/AllowFallbackToSSL3**
@@ -485,6 +1343,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!TIP]
@@ -503,6 +1370,7 @@ ADMX Info:
+**InternetExplorer/AllowInternetExplorer7PolicyList**
@@ -529,6 +1397,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.
@@ -553,6 +1431,7 @@ ADMX Info:
+**InternetExplorer/AllowInternetExplorerStandardsMode**
@@ -579,6 +1458,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.
@@ -605,6 +1494,7 @@ ADMX Info:
+**InternetExplorer/AllowInternetZoneTemplate**
@@ -631,6 +1521,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -661,6 +1561,7 @@ ADMX Info:
+**InternetExplorer/AllowIntranetZoneTemplate**
@@ -687,6 +1588,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -717,6 +1628,7 @@ ADMX Info:
+**InternetExplorer/AllowLocalMachineZoneTemplate**
@@ -743,6 +1655,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -773,6 +1695,7 @@ ADMX Info:
+**InternetExplorer/AllowLockedDownInternetZoneTemplate**
@@ -799,6 +1722,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -829,6 +1762,7 @@ ADMX Info:
+**InternetExplorer/AllowLockedDownIntranetZoneTemplate**
@@ -855,6 +1789,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -885,6 +1829,7 @@ ADMX Info:
+**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate**
@@ -911,6 +1856,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -941,6 +1896,7 @@ ADMX Info:
+**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate**
@@ -967,6 +1923,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -997,6 +1963,7 @@ ADMX Info:
+**InternetExplorer/AllowOneWordEntry**
@@ -1023,6 +1990,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.
@@ -1047,6 +2024,7 @@ ADMX Info:
+**InternetExplorer/AllowSiteToZoneAssignmentList**
@@ -1073,6 +2051,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
@@ -1103,6 +2091,7 @@ ADMX Info:
+**InternetExplorer/AllowSoftwareWhenSignatureIsInvalid**
@@ -1129,6 +2118,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1147,6 +2146,7 @@ ADMX Info:
+**InternetExplorer/AllowSuggestedSites**
@@ -1173,6 +2173,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.
@@ -1199,6 +2209,7 @@ ADMX Info:
+**InternetExplorer/AllowTrustedSitesZoneTemplate**
@@ -1225,6 +2236,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -1255,6 +2276,7 @@ ADMX Info:
+**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate**
@@ -1281,6 +2303,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -1311,6 +2343,7 @@ ADMX Info:
+**InternetExplorer/AllowsRestrictedSitesZoneTemplate**
@@ -1337,6 +2370,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.
@@ -1367,6 +2410,7 @@ ADMX Info:
+**InternetExplorer/CheckServerCertificateRevocation**
@@ -1393,6 +2437,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1411,6 +2465,7 @@ ADMX Info:
+**InternetExplorer/CheckSignaturesOnDownloadedPrograms**
@@ -1437,6 +2492,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1455,6 +2520,7 @@ ADMX Info:
+**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**
@@ -1481,6 +2547,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1499,6 +2575,7 @@ ADMX Info:
+**InternetExplorer/DisableAdobeFlash**
@@ -1525,6 +2602,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.
@@ -1551,6 +2638,7 @@ ADMX Info:
+**InternetExplorer/DisableBlockingOfOutdatedActiveXControls**
@@ -1577,6 +2665,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1595,6 +2693,7 @@ ADMX Info:
+**InternetExplorer/DisableBypassOfSmartScreenWarnings**
@@ -1621,6 +2720,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.
@@ -1645,6 +2754,7 @@ ADMX Info:
+**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles**
@@ -1671,6 +2781,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.
@@ -1695,6 +2815,7 @@ ADMX Info:
+**InternetExplorer/DisableConfiguringHistory**
@@ -1721,6 +2842,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1739,6 +2870,7 @@ ADMX Info:
+**InternetExplorer/DisableCrashDetection**
@@ -1765,6 +2897,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1783,6 +2925,7 @@ ADMX Info:
+**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation**
@@ -1809,6 +2952,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).
@@ -1835,6 +2988,7 @@ ADMX Info:
+**InternetExplorer/DisableDeletingUserVisitedWebsites**
@@ -1861,6 +3015,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -1879,6 +3043,7 @@ ADMX Info:
+**InternetExplorer/DisableEnclosureDownloading**
@@ -1905,6 +3070,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.
@@ -1929,6 +3104,7 @@ ADMX Info:
+**InternetExplorer/DisableEncryptionSupport**
@@ -1955,6 +3131,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.
@@ -1981,6 +3167,7 @@ ADMX Info:
+**InternetExplorer/DisableFirstRunWizard**
@@ -2007,6 +3194,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
@@ -2035,6 +3232,7 @@ ADMX Info:
+**InternetExplorer/DisableFlipAheadFeature**
@@ -2061,6 +3259,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
@@ -2089,6 +3297,7 @@ ADMX Info:
+**InternetExplorer/DisableHomePageChange**
@@ -2115,6 +3324,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.
@@ -2139,6 +3357,7 @@ ADMX Info:
+**InternetExplorer/DisableIgnoringCertificateErrors**
@@ -2165,6 +3384,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -2183,6 +3412,7 @@ ADMX Info:
+**InternetExplorer/DisableInPrivateBrowsing**
@@ -2209,6 +3439,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -2227,6 +3467,7 @@ ADMX Info:
+**InternetExplorer/DisableProcessesInEnhancedProtectedMode**
@@ -2253,6 +3494,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -2271,6 +3522,7 @@ ADMX Info:
+**InternetExplorer/DisableProxyChange**
@@ -2297,6 +3549,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting specifies if a user can change proxy settings.
@@ -2321,6 +3583,7 @@ ADMX Info:
+**InternetExplorer/DisableSearchProviderChange**
@@ -2347,6 +3610,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.
@@ -2371,6 +3644,7 @@ ADMX Info:
+**InternetExplorer/DisableSecondaryHomePageChange**
@@ -2397,6 +3671,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.
@@ -2423,6 +3707,7 @@ ADMX Info:
+**InternetExplorer/DisableSecuritySettingsCheck**
@@ -2449,6 +3734,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -2467,6 +3762,7 @@ ADMX Info:
+**InternetExplorer/DisableUpdateCheck**
@@ -2493,6 +3789,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Prevents Internet Explorer from checking whether a new version of the browser is available.
@@ -2519,6 +3824,7 @@ ADMX Info:
+**InternetExplorer/DoNotAllowActiveXControlsInProtectedMode**
@@ -2545,6 +3851,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -2563,6 +3879,7 @@ ADMX Info:
+**InternetExplorer/DoNotAllowUsersToAddSites**
@@ -2589,6 +3906,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.
@@ -2619,6 +3945,7 @@ ADMX Info:
+**InternetExplorer/DoNotAllowUsersToChangePolicies**
@@ -2645,6 +3972,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.
@@ -2675,6 +4011,7 @@ ADMX Info:
+**InternetExplorer/DoNotBlockOutdatedActiveXControls**
@@ -2701,6 +4038,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
@@ -2727,6 +4074,7 @@ ADMX Info:
+**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains**
@@ -2753,6 +4101,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
@@ -2783,6 +4141,7 @@ ADMX Info:
+**InternetExplorer/IncludeAllLocalSites**
@@ -2809,6 +4168,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.
@@ -2835,6 +4204,7 @@ ADMX Info:
+**InternetExplorer/IncludeAllNetworkPaths**
@@ -2861,6 +4231,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.
@@ -2887,6 +4267,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowAccessToDataSources**
@@ -2913,6 +4294,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -2939,6 +4330,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls**
@@ -2965,6 +4357,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -2991,6 +4393,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads**
@@ -3017,6 +4420,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -3041,6 +4454,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowCopyPasteViaScript**
@@ -3067,6 +4481,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3085,6 +4509,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles**
@@ -3111,6 +4536,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3129,6 +4564,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowFontDownloads**
@@ -3155,6 +4591,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -3181,6 +4627,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowLessPrivilegedSites**
@@ -3207,6 +4654,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
@@ -3233,6 +4690,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles**
@@ -3259,6 +4717,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3277,6 +4745,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents**
@@ -3303,6 +4772,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -3329,6 +4808,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls**
@@ -3355,6 +4835,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3373,6 +4863,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
@@ -3399,6 +4890,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3417,6 +4918,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowScriptInitiatedWindows**
@@ -3443,6 +4945,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3461,6 +4973,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls**
@@ -3487,6 +5000,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3505,6 +5028,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowScriptlets**
@@ -3531,6 +5055,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -3557,6 +5091,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowSmartScreenIE**
@@ -3583,6 +5118,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -3611,6 +5156,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript**
@@ -3637,6 +5183,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3655,6 +5211,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneAllowUserDataPersistence**
@@ -3681,6 +5238,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -3707,6 +5274,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls**
@@ -3733,6 +5301,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3751,6 +5329,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneDownloadSignedActiveXControls**
@@ -3777,6 +5356,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3795,6 +5384,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneDownloadUnsignedActiveXControls**
@@ -3821,6 +5411,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3839,6 +5439,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter**
@@ -3865,6 +5466,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3883,6 +5494,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
@@ -3909,6 +5521,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3927,6 +5549,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
@@ -3953,6 +5576,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -3971,6 +5604,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneEnableMIMESniffing**
@@ -3997,6 +5631,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4015,6 +5659,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneEnableProtectedMode**
@@ -4041,6 +5686,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4059,6 +5714,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer**
@@ -4085,6 +5741,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4103,6 +5769,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls**
@@ -4129,6 +5796,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -4157,6 +5834,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
@@ -4186,6 +5864,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneJavaPermissions**
@@ -4212,6 +5891,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4230,6 +5919,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME**
@@ -4256,6 +5946,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4274,6 +5974,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneLogonOptions**
@@ -4300,6 +6001,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4318,6 +6029,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneNavigateWindowsAndFrames**
@@ -4344,6 +6056,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -4370,6 +6092,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsNotSignedWithAuthenticode**
@@ -4396,6 +6119,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4414,6 +6147,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
@@ -4440,6 +6174,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4458,6 +6202,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles**
@@ -4484,6 +6229,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4502,6 +6257,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneUsePopupBlocker**
@@ -4528,6 +6284,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4546,6 +6312,7 @@ ADMX Info:
+**InternetExplorer/InternetZoneWebsitesInLessPrivilegedZonesCanNavigateIntoThisZone**
@@ -4572,6 +6339,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -4590,6 +6367,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowAccessToDataSources**
@@ -4616,6 +6394,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -4642,6 +6430,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls**
@@ -4668,6 +6457,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -4694,6 +6493,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads**
@@ -4720,6 +6520,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -4744,6 +6554,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowFontDownloads**
@@ -4770,6 +6581,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -4796,6 +6617,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowLessPrivilegedSites**
@@ -4822,6 +6644,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
@@ -4848,6 +6680,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents**
@@ -4874,6 +6707,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -4900,6 +6743,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowScriptlets**
@@ -4926,6 +6770,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -4952,6 +6806,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowSmartScreenIE**
@@ -4978,6 +6833,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -5006,6 +6871,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneAllowUserDataPersistence**
@@ -5032,6 +6898,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -5058,6 +6934,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls**
@@ -5084,6 +6961,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -5102,6 +6989,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls**
@@ -5128,6 +7016,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -5156,6 +7054,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
@@ -5182,6 +7081,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -5200,6 +7109,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneJavaPermissions**
@@ -5226,6 +7136,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -5244,6 +7164,7 @@ ADMX Info:
+**InternetExplorer/IntranetZoneNavigateWindowsAndFrames**
@@ -5270,6 +7191,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -5296,6 +7227,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**
@@ -5322,6 +7254,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -5348,6 +7290,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls**
@@ -5374,6 +7317,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -5400,6 +7353,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads**
@@ -5426,6 +7380,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -5450,6 +7414,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowFontDownloads**
@@ -5476,6 +7441,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -5502,6 +7477,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites**
@@ -5528,6 +7504,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
@@ -5554,6 +7540,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents**
@@ -5580,6 +7567,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -5606,6 +7603,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowScriptlets**
@@ -5632,6 +7630,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -5658,6 +7666,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowSmartScreenIE**
@@ -5684,6 +7693,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -5712,6 +7731,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneAllowUserDataPersistence**
@@ -5738,6 +7758,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -5764,6 +7794,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls**
@@ -5790,6 +7821,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -5808,6 +7849,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls**
@@ -5834,6 +7876,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -5862,6 +7914,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneJavaPermissions**
@@ -5888,6 +7941,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -5906,6 +7969,7 @@ ADMX Info:
+**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames**
@@ -5932,6 +7996,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -5958,6 +8032,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources**
@@ -5984,6 +8059,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -6010,6 +8095,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls**
@@ -6036,6 +8122,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -6062,6 +8158,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads**
@@ -6088,6 +8185,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -6112,6 +8219,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowFontDownloads**
@@ -6138,6 +8246,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -6164,6 +8282,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites**
@@ -6190,6 +8309,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
@@ -6216,6 +8345,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents**
@@ -6242,6 +8372,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -6268,6 +8408,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowScriptlets**
@@ -6294,6 +8435,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -6320,6 +8471,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE**
@@ -6346,6 +8498,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -6374,6 +8536,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence**
@@ -6400,6 +8563,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -6426,6 +8599,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls**
@@ -6452,6 +8626,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -6480,6 +8664,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneJavaPermissions**
@@ -6506,6 +8691,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -6524,6 +8719,7 @@ ADMX Info:
+**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames**
@@ -6550,6 +8746,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -6576,6 +8782,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources**
@@ -6602,6 +8809,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -6628,6 +8845,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls**
@@ -6654,6 +8872,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -6680,6 +8908,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads**
@@ -6706,6 +8935,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -6730,6 +8969,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads**
@@ -6756,6 +8996,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -6782,6 +9032,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites**
@@ -6808,6 +9059,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
@@ -6834,6 +9095,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents**
@@ -6860,6 +9122,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -6886,6 +9158,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowScriptlets**
@@ -6912,6 +9185,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -6938,6 +9221,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE**
@@ -6964,6 +9248,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -6992,6 +9286,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence**
@@ -7018,6 +9313,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -7044,6 +9349,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls**
@@ -7070,6 +9376,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -7098,6 +9414,7 @@ ADMX Info:
+**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames**
@@ -7124,6 +9441,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -7150,6 +9477,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources**
@@ -7176,6 +9504,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -7202,6 +9540,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls**
@@ -7228,6 +9567,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -7254,6 +9603,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads**
@@ -7280,6 +9630,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -7304,6 +9664,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads**
@@ -7330,6 +9691,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -7356,6 +9727,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites**
@@ -7382,6 +9754,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
@@ -7408,6 +9790,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents**
@@ -7434,6 +9817,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -7460,6 +9853,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets**
@@ -7486,6 +9880,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -7512,6 +9916,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE**
@@ -7538,6 +9943,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -7566,6 +9981,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence**
@@ -7592,6 +10008,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -7618,6 +10044,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls**
@@ -7644,6 +10071,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -7672,6 +10109,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneJavaPermissions**
@@ -7698,6 +10136,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -7716,6 +10164,7 @@ ADMX Info:
+**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames**
@@ -7742,6 +10191,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -7768,6 +10227,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources**
@@ -7794,6 +10254,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -7820,6 +10290,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
@@ -7846,6 +10317,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -7872,6 +10353,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
@@ -7898,6 +10380,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -7922,6 +10414,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads**
@@ -7948,6 +10441,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -7974,6 +10477,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites**
@@ -8000,6 +10504,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
@@ -8026,6 +10540,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents**
@@ -8052,6 +10567,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -8078,6 +10603,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets**
@@ -8104,6 +10630,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -8130,6 +10666,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE**
@@ -8156,6 +10693,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -8184,6 +10731,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence**
@@ -8210,6 +10758,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -8236,6 +10794,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls**
@@ -8262,6 +10821,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -8290,6 +10859,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions**
@@ -8316,6 +10886,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -8334,6 +10914,7 @@ ADMX Info:
+**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames**
@@ -8360,6 +10941,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -8386,6 +10977,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources**
@@ -8412,6 +11004,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -8438,6 +11040,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
@@ -8464,6 +11067,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -8490,6 +11103,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
@@ -8516,6 +11130,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -8540,6 +11164,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads**
@@ -8566,6 +11191,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -8592,6 +11227,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites**
@@ -8618,6 +11254,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
@@ -8644,6 +11290,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents**
@@ -8670,6 +11317,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -8696,6 +11353,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets**
@@ -8722,6 +11380,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -8748,6 +11416,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE**
@@ -8774,6 +11443,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -8802,6 +11481,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence**
@@ -8828,6 +11508,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -8854,6 +11544,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls**
@@ -8880,6 +11571,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -8908,6 +11609,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions**
@@ -8934,6 +11636,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -8952,6 +11664,7 @@ ADMX Info:
+**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames**
@@ -8978,6 +11691,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -9004,6 +11727,7 @@ ADMX Info:
+**InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses**
@@ -9030,6 +11754,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9048,6 +11782,7 @@ ADMX Info:
+**InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses**
@@ -9074,6 +11809,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9092,6 +11837,7 @@ ADMX Info:
+**InternetExplorer/NotificationBarInternetExplorerProcesses**
@@ -9118,6 +11864,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9136,6 +11892,7 @@ ADMX Info:
+**InternetExplorer/PreventManagingSmartScreenFilter**
@@ -9162,6 +11919,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9180,6 +11947,7 @@ ADMX Info:
+**InternetExplorer/PreventPerUserInstallationOfActiveXControls**
@@ -9206,6 +11974,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9224,6 +12002,7 @@ ADMX Info:
+**InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses**
@@ -9250,6 +12029,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9268,6 +12057,7 @@ ADMX Info:
+**InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls**
@@ -9294,6 +12084,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9312,6 +12112,7 @@ ADMX Info:
+**InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses**
@@ -9338,6 +12139,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9356,6 +12167,7 @@ ADMX Info:
+**InternetExplorer/RestrictFileDownloadInternetExplorerProcesses**
@@ -9382,6 +12194,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9400,6 +12222,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources**
@@ -9426,6 +12249,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -9452,6 +12285,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowActiveScripting**
@@ -9478,6 +12312,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9496,6 +12340,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls**
@@ -9522,6 +12367,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -9548,6 +12403,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads**
@@ -9574,6 +12430,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -9598,6 +12464,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors**
@@ -9624,6 +12491,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9642,6 +12519,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript**
@@ -9668,6 +12546,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9686,6 +12574,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles**
@@ -9712,6 +12601,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9730,6 +12629,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowFileDownloads**
@@ -9756,6 +12656,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9774,6 +12684,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowFontDownloads**
@@ -9800,6 +12711,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -9826,6 +12747,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites**
@@ -9852,6 +12774,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
@@ -9878,6 +12810,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles**
@@ -9904,6 +12837,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9922,6 +12865,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH**
@@ -9948,6 +12892,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -9966,6 +12920,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents**
@@ -9992,6 +12947,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -10018,6 +12983,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls**
@@ -10044,6 +13010,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10062,6 +13038,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl**
@@ -10088,6 +13065,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10106,6 +13093,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows**
@@ -10132,6 +13120,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10150,6 +13148,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls**
@@ -10176,6 +13175,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10194,6 +13203,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowScriptlets**
@@ -10220,6 +13230,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -10246,6 +13266,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE**
@@ -10272,6 +13293,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -10300,6 +13331,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript**
@@ -10326,6 +13358,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10344,6 +13386,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence**
@@ -10370,6 +13413,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -10396,6 +13449,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
@@ -10422,6 +13476,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10440,6 +13504,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls**
@@ -10466,6 +13531,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10484,6 +13559,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls**
@@ -10510,6 +13586,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10528,6 +13614,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter**
@@ -10554,6 +13641,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10572,6 +13669,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows**
@@ -10598,6 +13696,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10616,6 +13724,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows**
@@ -10642,6 +13751,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10660,6 +13779,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneEnableMIMESniffing**
@@ -10686,6 +13806,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10704,6 +13834,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer**
@@ -10730,6 +13861,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10748,6 +13889,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls**
@@ -10774,6 +13916,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -10802,6 +13954,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneJavaPermissions**
@@ -10828,6 +13981,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10846,6 +14009,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME**
@@ -10872,6 +14036,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10890,6 +14064,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneLogonOptions**
@@ -10916,6 +14091,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -10934,6 +14119,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames**
@@ -10960,6 +14146,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
@@ -10986,6 +14182,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesAcrossDomains**
@@ -11012,6 +14209,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11030,6 +14237,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins**
@@ -11056,6 +14264,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11074,6 +14292,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode**
@@ -11100,6 +14319,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11118,6 +14347,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting**
@@ -11144,6 +14374,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11162,6 +14402,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets**
@@ -11188,6 +14429,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11206,6 +14457,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles**
@@ -11232,6 +14484,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11250,6 +14512,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneTurnOnCrossSiteScriptingFilter**
@@ -11276,6 +14539,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11294,6 +14567,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode**
@@ -11320,6 +14594,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11338,6 +14622,7 @@ ADMX Info:
+**InternetExplorer/RestrictedSitesZoneUsePopupBlocker**
@@ -11364,6 +14649,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11382,6 +14677,7 @@ ADMX Info:
+**InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses**
@@ -11408,6 +14704,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11426,6 +14732,7 @@ ADMX Info:
+**InternetExplorer/SearchProviderList**
@@ -11452,6 +14759,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.
@@ -11476,6 +14793,7 @@ ADMX Info:
+**InternetExplorer/SecurityZonesUseOnlyMachineSettings**
@@ -11502,6 +14820,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!TIP]
@@ -11520,6 +14847,7 @@ ADMX Info:
+**InternetExplorer/SpecifyUseOfActiveXInstallerService**
@@ -11546,6 +14874,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -11564,6 +14902,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources**
@@ -11590,6 +14929,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
@@ -11616,6 +14965,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls**
@@ -11642,6 +14992,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting manages whether users will be automatically prompted for ActiveX control installations.
@@ -11668,6 +15028,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads**
@@ -11694,6 +15055,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
@@ -11718,6 +15089,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowFontDownloads**
@@ -11744,6 +15116,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether pages of the zone may download HTML fonts.
@@ -11770,6 +15152,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites**
@@ -11796,6 +15179,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
@@ -11822,6 +15215,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents**
@@ -11848,6 +15242,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
@@ -11874,6 +15278,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowScriptlets**
@@ -11900,6 +15305,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage whether the user can run scriptlets.
@@ -11926,6 +15341,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE**
@@ -11952,6 +15368,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.
@@ -11980,6 +15406,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence**
@@ -12006,6 +15433,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
@@ -12032,6 +15469,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls**
@@ -12058,6 +15496,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -12076,6 +15524,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneDontRunAntimalwareProgramsAgainstActiveXControls**
@@ -12102,6 +15551,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -12120,6 +15579,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls**
@@ -12146,6 +15606,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage ActiveX controls not marked as safe.
@@ -12174,6 +15644,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedAsSafe**
@@ -12200,6 +15671,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -12218,6 +15699,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsNotMarkedSafe**
@@ -12244,6 +15726,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -12262,6 +15754,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneJavaPermissions**
@@ -12288,6 +15781,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!TIP]
@@ -12306,6 +15809,7 @@ ADMX Info:
+**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames**
@@ -12332,6 +15836,16 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index d4683f4ded..0297e2a41a 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Kerberos
@@ -14,11 +14,30 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Kerberos policies
+
+
+**Kerberos/AllowForestSearchOrder**
@@ -45,6 +64,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
@@ -69,6 +97,7 @@ ADMX Info:
+**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
@@ -95,6 +124,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
@@ -118,6 +156,7 @@ ADMX Info:
+**Kerberos/RequireKerberosArmoring**
@@ -144,6 +183,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
@@ -172,6 +220,7 @@ ADMX Info:
+**Kerberos/RequireStrictKDCValidation**
@@ -198,6 +247,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
@@ -222,6 +280,7 @@ ADMX Info:
+**Kerberos/SetMaximumContextTokenSize**
@@ -248,6 +307,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index a8f855bc5e..47c63e821c 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Licensing
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Licensing policies
+
Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 5eb02ceae2..f2c1e120e8 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - LocalPoliciesSecurityOptions
@@ -14,11 +14,87 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
@@ -45,6 +121,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting prevents users from adding new Microsoft accounts on this computer.
@@ -61,6 +146,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
@@ -87,6 +173,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This security setting determines whether the local Administrator account is enabled or disabled.
@@ -104,6 +199,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
@@ -130,6 +226,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This security setting determines if the Guest account is enabled or disabled.
@@ -144,6 +249,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
@@ -170,6 +276,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Accounts: Limit local account use of blank passwords to console logon only
@@ -192,6 +307,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
@@ -218,6 +334,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Accounts: Rename administrator account
@@ -229,6 +354,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
@@ -255,6 +381,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Accounts: Rename guest account
@@ -266,6 +401,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@@ -292,6 +428,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Interactive Logon:Display user information when the session is locked
@@ -304,6 +449,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
@@ -330,6 +476,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Interactive logon: Don't display last signed-in
@@ -347,6 +502,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
@@ -373,6 +529,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Interactive logon: Don't display username at sign-in
@@ -391,6 +556,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
@@ -417,6 +583,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Interactive logon: Do not require CTRL+ALT+DEL
@@ -436,6 +611,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
@@ -462,6 +638,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Interactive logon: Machine inactivity limit.
@@ -476,6 +661,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
@@ -502,6 +688,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Interactive logon: Message text for users attempting to log on
@@ -515,6 +710,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
@@ -541,6 +737,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Interactive logon: Message title for users attempting to log on
@@ -552,6 +757,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@@ -578,6 +784,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Network security: Allow PKU2U authentication requests to this computer to use online identities.
@@ -591,6 +806,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
@@ -631,6 +847,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
@@ -657,6 +874,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Shutdown: Allow system to be shut down without having to log on
@@ -676,6 +902,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
@@ -702,6 +929,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
@@ -720,6 +956,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
@@ -746,6 +983,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
@@ -769,6 +1015,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
@@ -795,6 +1042,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
@@ -811,6 +1067,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
@@ -837,6 +1094,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Only elevate executable files that are signed and validated
@@ -850,6 +1116,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
@@ -876,6 +1143,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Only elevate UIAccess applications that are installed in secure locations
@@ -895,6 +1171,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
@@ -921,6 +1198,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Turn on Admin Approval Mode
@@ -935,6 +1221,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
@@ -961,6 +1248,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Switch to the secure desktop when prompting for elevation
@@ -974,6 +1270,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
@@ -1000,6 +1297,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
User Account Control: Virtualize file and registry write failures to per-user locations
diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md
index 130111a793..f1124ffad4 100644
--- a/windows/client-management/mdm/policy-csp-location.md
+++ b/windows/client-management/mdm/policy-csp-location.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Location
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Location policies
+
Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index ff2b494dee..038d477577 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - LockDown
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 40abac41bc..5c1dab3c54 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Maps
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1607. Disables the automatic download and update of map data.
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index edaff6765e..eac7199c3e 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Messaging
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**Messaging/AllowMMS**
@@ -45,6 +58,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -58,6 +80,7 @@ ms.date: 08/30/2017
+**Messaging/AllowMessageSync**
@@ -84,6 +107,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
@@ -94,6 +126,7 @@ ms.date: 08/30/2017
+
**Messaging/AllowRCS**
@@ -120,6 +153,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 3196840a3b..95dcb7e362 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - NetworkIsolation
@@ -14,11 +14,39 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## NetworkIsolation policies
+
Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**.
+
Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
@@ -90,6 +137,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
+
This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
@@ -193,6 +270,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+
This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
+
List of domain names that can used for work or personal resource.
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 2a291f8ba6..f85714b12c 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Notifications
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 17298b3cdf..e981b7483e 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Power
@@ -14,11 +14,42 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**Power/AllowStandbyWhenSleepingPluggedIn**
@@ -45,6 +76,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
@@ -69,6 +109,7 @@ ADMX Info:
+**Power/DisplayOffTimeoutOnBattery**
@@ -95,6 +136,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
@@ -121,6 +171,7 @@ ADMX Info:
+
Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
@@ -173,6 +233,7 @@ ADMX Info:
+
Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
@@ -226,6 +296,7 @@ ADMX Info:
+
Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
@@ -278,6 +358,7 @@ ADMX Info:
+
**Power/RequirePasswordWhenComputerWakesOnBattery**
@@ -304,6 +385,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
@@ -328,6 +418,7 @@ ADMX Info:
+**Power/RequirePasswordWhenComputerWakesPluggedIn**
@@ -354,6 +445,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
@@ -378,6 +478,7 @@ ADMX Info:
+**Power/StandbyTimeoutOnBattery**
@@ -404,6 +505,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
@@ -430,6 +540,7 @@ ADMX Info:
+
Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index ffd1d93c3c..2e7c8296f2 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Printers
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**Printers/PointAndPrintRestrictions**
@@ -45,6 +58,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
@@ -82,6 +104,7 @@ ADMX Info:
+**Printers/PointAndPrintRestrictions_User**
@@ -108,6 +131,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
@@ -145,6 +177,7 @@ ADMX Info:
+**Printers/PublishPrinters**
@@ -171,6 +204,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Determines whether the computer's shared printers can be published in Active Directory.
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 2db8de6070..f839be65ee 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Privacy
@@ -14,11 +14,246 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Privacy policies
+
Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
@@ -60,6 +304,7 @@ ms.date: 08/30/2017
+
Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
@@ -99,6 +353,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1607. Enables or disables the Advertising ID.
@@ -138,6 +402,7 @@ ms.date: 08/30/2017
+
**Privacy/EnableActivityFeed**
@@ -164,6 +429,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed.
@@ -174,6 +448,7 @@ The following list shows the supported values:
+**Privacy/LetAppsAccessAccountInfo**
@@ -200,6 +475,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access account information.
@@ -213,6 +497,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**
@@ -239,11 +524,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**
@@ -270,11 +565,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**
@@ -301,11 +606,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessCalendar**
@@ -332,6 +647,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar.
@@ -345,6 +669,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**
@@ -371,11 +696,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**
@@ -402,11 +737,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**
@@ -433,11 +778,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessCallHistory**
@@ -464,6 +819,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access call history.
@@ -477,6 +841,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**
@@ -503,11 +868,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**
@@ -534,11 +909,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**
@@ -565,11 +950,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps.
+
**Privacy/LetAppsAccessCamera**
@@ -596,6 +991,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera.
@@ -609,6 +1013,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**
@@ -635,11 +1040,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**
@@ -666,11 +1081,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**
@@ -697,11 +1122,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps.
+
**Privacy/LetAppsAccessContacts**
@@ -728,6 +1163,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts.
@@ -741,6 +1185,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**
@@ -767,11 +1212,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**
@@ -798,11 +1253,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**
@@ -829,11 +1294,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps.
+
**Privacy/LetAppsAccessEmail**
@@ -860,6 +1335,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access email.
@@ -873,6 +1357,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**
@@ -899,11 +1384,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**
@@ -930,11 +1425,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**
@@ -961,11 +1466,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps.
+
**Privacy/LetAppsAccessLocation**
@@ -992,6 +1507,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access location.
@@ -1005,6 +1529,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
@@ -1031,11 +1556,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**
@@ -1062,11 +1597,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**
@@ -1093,11 +1638,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps.
+
**Privacy/LetAppsAccessMessaging**
@@ -1124,6 +1679,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS).
@@ -1137,6 +1701,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**
@@ -1163,11 +1728,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**
@@ -1194,11 +1769,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**
@@ -1225,11 +1810,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps.
+
**Privacy/LetAppsAccessMicrophone**
@@ -1256,6 +1851,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone.
@@ -1269,6 +1873,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**
@@ -1295,11 +1900,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**
@@ -1326,11 +1941,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**
@@ -1357,11 +1982,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps.
+
**Privacy/LetAppsAccessMotion**
@@ -1388,6 +2023,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data.
@@ -1401,6 +2045,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**
@@ -1427,11 +2072,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**
@@ -1458,11 +2113,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**
@@ -1489,11 +2154,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps.
+
**Privacy/LetAppsAccessNotifications**
@@ -1520,6 +2195,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications.
@@ -1533,6 +2217,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**
@@ -1559,11 +2244,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**
@@ -1590,11 +2285,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**
@@ -1621,11 +2326,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps.
+
**Privacy/LetAppsAccessPhone**
@@ -1652,6 +2367,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls.
@@ -1665,6 +2389,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**
@@ -1691,11 +2416,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**
@@ -1722,11 +2457,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**
@@ -1753,11 +2498,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps.
+
**Privacy/LetAppsAccessRadios**
@@ -1784,6 +2539,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios.
@@ -1797,6 +2561,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**
@@ -1823,11 +2588,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**
@@ -1854,11 +2629,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**
@@ -1885,11 +2670,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps.
+
**Privacy/LetAppsAccessTasks**
@@ -1916,11 +2711,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks.
+
**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**
@@ -1947,11 +2752,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**
@@ -1978,11 +2793,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**
@@ -2009,11 +2834,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps.
+
**Privacy/LetAppsAccessTrustedDevices**
@@ -2040,6 +2875,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices.
@@ -2053,6 +2897,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**
@@ -2079,11 +2924,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**
@@ -2110,11 +2965,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**
@@ -2141,11 +3006,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps.
+
**Privacy/LetAppsGetDiagnosticInfo**
@@ -2172,6 +3047,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps.
@@ -2185,6 +3069,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**
@@ -2211,11 +3096,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**
@@ -2242,11 +3137,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**
@@ -2273,11 +3178,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps.
+
**Privacy/LetAppsRunInBackground**
@@ -2304,6 +3219,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background.
@@ -2319,6 +3243,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**
@@ -2345,11 +3270,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**
@@ -2376,11 +3311,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**
@@ -2407,11 +3352,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps.
+
**Privacy/LetAppsSyncWithDevices**
@@ -2438,6 +3393,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices.
@@ -2451,6 +3415,7 @@ The following list shows the supported values:
+
**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**
@@ -2477,11 +3442,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**
@@ -2508,11 +3483,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**
@@ -2539,11 +3524,21 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps.
+
**Privacy/PublishUserActivities**
@@ -2570,6 +3565,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed.
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 61751bca3b..71e7c1ee14 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - RemoteAssistance
@@ -14,11 +14,27 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## RemoteAssistance policies
+
+
+**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**
@@ -45,6 +55,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
@@ -73,6 +92,7 @@ ADMX Info:
+**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
@@ -99,6 +119,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 32309bdf9d..9dd90c60be 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - RemoteShell
@@ -14,11 +14,36 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## RemoteShell policies
+
Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
@@ -55,6 +98,7 @@ ms.date: 08/30/2017
+
Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
@@ -97,6 +150,7 @@ ms.date: 08/30/2017
+
If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
@@ -247,6 +340,7 @@ ms.date: 08/30/2017
+
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
@@ -327,6 +440,7 @@ ms.date: 08/30/2017
+
If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
@@ -363,6 +486,7 @@ ms.date: 08/30/2017
+
**Search/SafeSearchPermissions**
@@ -389,6 +513,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 229903014f..be8599f45e 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Security
@@ -14,11 +14,45 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Security policies
+
Specifies whether to allow the runtime configuration agent to install provisioning packages.
@@ -55,6 +98,7 @@ ms.date: 08/30/2017
+
**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
@@ -100,6 +144,7 @@ ms.date: 08/30/2017
+**Security/AllowManualRootCertificateInstallation**
@@ -126,6 +171,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -142,6 +196,7 @@ ms.date: 08/30/2017
+**Security/AllowRemoveProvisioningPackage**
@@ -168,6 +223,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies whether to allow the runtime configuration agent to remove provisioning packages.
@@ -178,6 +242,7 @@ ms.date: 08/30/2017
+
**Security/AntiTheftMode**
@@ -204,6 +269,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@@ -218,6 +292,7 @@ ms.date: 08/30/2017
+**Security/ClearTPMIfNotReady**
@@ -244,6 +319,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -257,6 +341,7 @@ The following list shows the supported values:
+**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
@@ -283,6 +368,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -299,6 +393,7 @@ The following list shows the supported values:
+**Security/RequireDeviceEncryption**
@@ -325,6 +420,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
@@ -343,6 +447,7 @@ The following list shows the supported values:
+**Security/RequireProvisioningPackageSignature**
@@ -369,6 +474,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
@@ -379,6 +493,7 @@ The following list shows the supported values:
+
**Security/RequireRetrieveHealthCertificateOnBoot**
@@ -405,6 +520,15 @@ The following list shows the supported values:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 50a3295347..987f2c639b 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Settings
@@ -14,11 +14,54 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Allows editing of the device name.
@@ -170,6 +252,7 @@ ms.date: 08/30/2017
+
**Settings/AllowLanguage**
@@ -196,6 +279,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -210,6 +302,7 @@ ms.date: 08/30/2017
+**Settings/AllowPowerSleep**
@@ -236,6 +329,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -250,6 +352,7 @@ ms.date: 08/30/2017
+**Settings/AllowRegion**
@@ -276,6 +379,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -290,6 +402,7 @@ ms.date: 08/30/2017
+**Settings/AllowSignInOptions**
@@ -316,6 +429,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -330,6 +452,7 @@ ms.date: 08/30/2017
+**Settings/AllowVPN**
@@ -356,6 +479,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Allows the user to change VPN settings.
@@ -366,6 +498,7 @@ ms.date: 08/30/2017
+
**Settings/AllowWorkplace**
@@ -392,6 +525,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -406,6 +548,7 @@ ms.date: 08/30/2017
+**Settings/AllowYourAccount**
@@ -432,6 +575,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Allows user to change account settings.
@@ -442,6 +594,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
@@ -480,6 +642,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:". Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index adc515f986..2437d31e21 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - SmartScreen
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
@@ -55,6 +77,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index 833057f11a..de1665ee8d 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Speech
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS).
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 75e90f86a0..f73f1b8331 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Start
@@ -14,11 +14,99 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1703. This policy controls the visibility of the Documents shortcut on the Start menu.
@@ -56,6 +153,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the Downloads shortcut on the Start menu.
@@ -93,6 +200,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the File Explorer shortcut on the Start menu.
@@ -130,6 +247,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the HomeGroup shortcut on the Start menu.
@@ -167,6 +294,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the Music shortcut on the Start menu.
@@ -204,6 +341,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the Network shortcut on the Start menu.
@@ -241,6 +388,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the PersonalFolder shortcut on the Start menu.
@@ -278,6 +435,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the Pictures shortcut on the Start menu.
@@ -315,6 +482,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the Settings shortcut on the Start menu.
@@ -352,6 +529,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy controls the visibility of the Videos shortcut on the Start menu.
@@ -389,6 +576,7 @@ ms.date: 08/30/2017
+
**Start/ForceStartSize**
@@ -415,6 +603,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@@ -432,6 +629,7 @@ ms.date: 08/30/2017
+**Start/HideAppList**
@@ -458,6 +656,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy requires reboot to take effect.
@@ -483,6 +690,7 @@ ms.date: 08/30/2017
+**Start/HideChangeAccountSettings**
@@ -509,6 +717,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile.
@@ -524,6 +741,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button.
@@ -616,6 +853,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile.
@@ -657,6 +904,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button.
@@ -841,6 +1128,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button.
@@ -882,6 +1179,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile.
@@ -923,6 +1230,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button.
@@ -964,6 +1281,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile.
@@ -1005,6 +1332,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar.
@@ -1140,6 +1497,7 @@ ms.date: 08/30/2017
+
**Start/StartLayout**
@@ -1166,6 +1524,16 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
> [!IMPORTANT]
> This node is set on a per-user basis and must be accessed using the following paths:
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index e73be79d8b..f7485274a3 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Storage
@@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## Storage policies
+
+
+**Storage/EnhancedStorageDevices**
@@ -45,6 +52,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting configures whether or not Windows will activate an Enhanced Storage device.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 547782becf..e05d775dd4 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/20/2017
+ms.date: 09/29/2017
---
# Policy CSP - System
@@ -14,11 +14,54 @@ ms.date: 09/20/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
## System policies
+
+
+**System/AllowBuildPreview**
@@ -45,6 +88,15 @@ ms.date: 09/20/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise.
@@ -62,6 +114,7 @@ ms.date: 09/20/2017
+**System/AllowEmbeddedMode**
@@ -88,6 +141,15 @@ ms.date: 09/20/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies whether set general purpose device to be in embedded mode.
@@ -100,6 +162,7 @@ ms.date: 09/20/2017
+
**System/AllowExperimentation**
@@ -126,6 +189,15 @@ ms.date: 09/20/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is not supported in Windows 10, version 1607.
@@ -142,6 +214,7 @@ ms.date: 09/20/2017
+**System/AllowFontProviders**
@@ -168,6 +241,15 @@ ms.date: 09/20/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
@@ -189,6 +271,7 @@ ms.date: 09/20/2017
+
Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card.
@@ -272,6 +374,7 @@ ms.date: 09/20/2017
+
Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
@@ -416,6 +539,7 @@ Windows 10 Values:
+
Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting:
@@ -510,6 +653,7 @@ ADMX Info:
+
This policy setting, in combination with the System/AllowTelemetry
policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
@@ -608,9 +771,9 @@ ADMX Info:
If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy.
-
+
Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device.
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index 08041394b9..fde893e7ec 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - TextInput
@@ -14,11 +14,54 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index befad78d96..63d53d42c4 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 09/20/2017
+ms.date: 09/29/2017
---
# Policy CSP - Update
@@ -14,11 +14,150 @@ ms.date: 09/20/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
@@ -57,6 +205,7 @@ ms.date: 09/20/2017
+
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
@@ -92,6 +250,7 @@ ms.date: 09/20/2017
+
Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
@@ -130,6 +298,7 @@ ms.date: 09/20/2017
+
Added in Windows 10, version 1709. Option to download updates automatically over metered connections (off by default). Value type is integer.
@@ -213,8 +401,10 @@ ms.date: 09/20/2017
A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.
This policy is accessible through the Update setting in the user interface or Group Policy.
+
+
**Update/AllowMUUpdateService**
@@ -241,6 +431,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
@@ -251,6 +450,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/AllowNonMicrosoftSignedUpdate**
@@ -277,6 +477,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
@@ -291,6 +500,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/AllowUpdateService**
@@ -317,6 +527,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
@@ -334,6 +553,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/AutoRestartDeadlinePeriodInDays**
@@ -360,6 +580,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
@@ -369,6 +598,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/AutoRestartNotificationSchedule**
@@ -395,6 +625,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
@@ -404,6 +643,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/AutoRestartRequiredNotificationDismissal**
@@ -430,6 +670,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
@@ -440,6 +689,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/BranchReadinessLevel**
@@ -466,6 +716,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
@@ -477,9 +736,9 @@ This policy is accessible through the Update setting in the user interface or Gr
- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted).
- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel.
-
+
**Update/DeferFeatureUpdatesPeriodInDays**
@@ -506,6 +765,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@@ -518,6 +786,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/DeferQualityUpdatesPeriodInDays**
@@ -544,6 +813,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
@@ -551,6 +829,7 @@ This policy is accessible through the Update setting in the user interface or Gr
+
**Update/DeferUpdatePeriod**
@@ -577,6 +856,15 @@ This policy is accessible through the Update setting in the user interface or Gr
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
@@ -675,6 +963,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/DeferUpgradePeriod**
@@ -701,6 +990,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@@ -718,6 +1016,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/DetectionFrequency**
@@ -744,11 +1043,21 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
+
**Update/DisableDualScan**
@@ -775,6 +1084,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
@@ -789,6 +1107,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/EngagedRestartDeadline**
@@ -815,6 +1134,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
@@ -824,6 +1152,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/EngagedRestartSnoozeSchedule**
@@ -850,6 +1179,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
@@ -859,6 +1197,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/EngagedRestartTransitionSchedule**
@@ -885,6 +1224,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
@@ -894,6 +1242,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ExcludeWUDriversInQualityUpdate**
@@ -920,6 +1269,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@@ -933,6 +1291,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/FillEmptyContentUrls**
@@ -959,6 +1318,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL).
@@ -972,6 +1340,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/IgnoreMOAppDownloadLimit**
@@ -998,6 +1367,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
@@ -1021,6 +1399,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/IgnoreMOUpdateDownloadLimit**
@@ -1047,6 +1426,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
@@ -1068,6 +1456,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/PauseDeferrals**
@@ -1094,6 +1483,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
@@ -1112,6 +1510,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/PauseFeatureUpdates**
@@ -1138,6 +1537,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@@ -1151,6 +1559,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/PauseFeatureUpdatesStartTime**
@@ -1177,6 +1586,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates.
@@ -1184,6 +1602,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/PauseQualityUpdates**
@@ -1210,6 +1629,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
@@ -1220,6 +1648,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/PauseQualityUpdatesStartTime**
@@ -1246,6 +1675,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates.
@@ -1253,6 +1691,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/RequireDeferUpgrade**
@@ -1279,6 +1718,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
@@ -1293,6 +1741,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/RequireUpdateApproval**
@@ -1319,6 +1768,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
@@ -1335,6 +1793,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/ScheduleImminentRestartWarning**
@@ -1361,6 +1820,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
@@ -1370,6 +1838,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ScheduleRestartWarning**
@@ -1396,6 +1865,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -1409,6 +1887,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/ScheduledInstallDay**
@@ -1435,6 +1914,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Enables the IT admin to schedule the day of the update installation.
@@ -1455,6 +1943,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/ScheduledInstallEveryWeek**
@@ -1481,6 +1970,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
@@ -1490,6 +1988,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/ScheduledInstallFirstWeek**
@@ -1516,6 +2015,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values:
@@ -1525,6 +2033,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/ScheduledInstallFourthWeek**
@@ -1551,6 +2060,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values:
@@ -1560,6 +2078,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/ScheduledInstallSecondWeek**
@@ -1586,6 +2105,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values:
@@ -1595,6 +2123,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/ScheduledInstallThirdWeek**
@@ -1621,6 +2150,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1709. Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values:
@@ -1630,6 +2168,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/ScheduledInstallTime**
@@ -1656,6 +2195,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@@ -1673,6 +2221,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+**Update/SetAutoRestartNotificationDisable**
@@ -1699,6 +2248,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
@@ -1709,6 +2267,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/SetEDURestart**
@@ -1735,6 +2294,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime.
@@ -1745,6 +2313,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
**Update/UpdateServiceUrl**
@@ -1771,6 +2340,15 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
@@ -1804,6 +2382,7 @@ Example
+**Update/UpdateServiceUrlAlternate**
@@ -1830,6 +2409,15 @@ Example
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 7d019f9c35..e035750dfa 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - Wifi
@@ -14,11 +14,36 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected.
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index ba85960f84..d47b897f44 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - WindowsDefenderSecurityCenter
@@ -14,11 +14,57 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1709. The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display the contact options.
@@ -52,6 +107,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
@@ -88,6 +153,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Use this policy if you want Windows Defender Security Center to only display notifications which are considered critical. If you disable or do not configure this setting, Windows Defender Security Center will display critical and non-critical notifications to users.
@@ -127,6 +202,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
@@ -163,6 +248,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
@@ -199,6 +294,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
@@ -235,6 +340,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or do not configure this setting, Windows Defender Security Center notifications will display on devices.
@@ -271,6 +386,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
@@ -307,6 +432,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or do not configure this setting, local users can make changes in the exploit protection settings area.
@@ -343,6 +478,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
@@ -376,6 +521,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. Enable this policy to display your company name and contact options in the notifications. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
@@ -412,6 +567,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709.Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or do not configure this setting, or do not provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will not display the contact card fly out notification.
@@ -448,6 +613,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices will not display contact options.
@@ -481,6 +656,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1709. The help portal URL this is displayed to users. The default browser is used to initiate this action. If you disable or do not configure this setting, or do not have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device will not display contact options.
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index 32d34d88ec..43176e2f15 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - WindowsInkWorkspace
@@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace.
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 22b96181e5..71a5e7e63a 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - WindowsLogon
@@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
+
+**WindowsLogon/DisableLockScreenAppNotifications**
@@ -45,6 +58,15 @@ ms.date: 08/30/2017
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting allows you to prevent app notifications from appearing on the lock screen.
@@ -69,6 +91,7 @@ ADMX Info:
+**WindowsLogon/DontDisplayNetworkSelectionUI**
@@ -95,6 +118,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
@@ -119,6 +151,7 @@ ADMX Info:
+**WindowsLogon/HideFastUserSwitching**
@@ -145,6 +178,15 @@ ADMX Info:
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index ea09c4b3c7..0d7ab2b543 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 08/30/2017
+ms.date: 09/29/2017
---
# Policy CSP - WirelessDisplay
@@ -14,11 +14,33 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure.
@@ -87,6 +128,7 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure.
@@ -159,14 +220,25 @@ ms.date: 08/30/2017
+
Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing.
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 03b15f9859..5c68eb15b8 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -40,7 +40,7 @@ These are the top Microsoft Support solutions for the most common issues experie
- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)
- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the)
- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus)
-- [0xC1900101 error when Windows 10 upgrade fails after the second system restart'(https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
+- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system)
- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem)
- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008)
- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632)
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 65d1ad61c3..835a88ecb3 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -73,6 +73,8 @@
#### [AutomaticTime](wcd/wcd-automatictime.md)
#### [Browser](wcd/wcd-browser.md)
#### [CallAndMessagingEnhancement](wcd/wcd-callandmessagingenhancement.md)
+#### [Calling](wcd/wcd-calling.md)
+#### [CellCore](wcd/wcd-cellcore.md)
#### [Cellular](wcd/wcd-cellular.md)
#### [Certificates](wcd/wcd-certificates.md)
#### [CleanPC](wcd/wcd-cleanpc.md)
@@ -82,6 +84,7 @@
#### [DesktopBackgroundAndColors](wcd/wcd-desktopbackgroundandcolors.md)
#### [DeveloperSetup](wcd/wcd-developersetup.md)
#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md)
+#### [DeviceInfo](wcd/wcd-deviceinfo.md)
#### [DeviceManagement](wcd/wcd-devicemanagement.md)
#### [DMClient](wcd/wcd-dmclient.md)
#### [EditionUpgrade](wcd/wcd-editionupgrade.md)
@@ -89,6 +92,7 @@
#### [FirewallConfiguration](wcd/wcd-firewallconfiguration.md)
#### [FirstExperience](wcd/wcd-firstexperience.md)
#### [Folders](wcd/wcd-folders.md)
+#### [HotSpot](wcd/wcd-hotspot.md)
#### [InitialSetup](wcd/wcd-initialsetup.md)
#### [InternetExplorer](wcd/wcd-internetexplorer.md)
#### [Licensing](wcd/wcd-licensing.md)
@@ -112,11 +116,13 @@
#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md)
#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md)
#### [TabletMode](wcd/wcd-tabletmode.md)
-#### [TakeATest](wcd/wcd-takeatest.md)
+#### [TakeATest](wcd/wcd-takeatest.md)
+#### [TextInput](wcd/wcd-textinput.md)
#### [Theme](wcd/wcd-theme.md)
#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md)
#### [UniversalAppInstall](wcd/wcd-universalappinstall.md)
#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md)
+#### [UsbErrorsOEMOverride](wcd/wcd-usberrorsoemoverride.md)
#### [WeakCharger](wcd/wcd-weakcharger.md)
#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md)
#### [WLAN](wcd/wcd-wlan.md)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 7630406f0d..1475e42e38 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 61bf864982..acf462f7e1 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Send feedback about Cortana at work back to Microsoft
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index bffa8f1644..554f55e3eb 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test Cortana with Office 365 in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 2a3d087da8..e492f9e0bd 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Cortana integration in your business or enterprise
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 5dd38b8ec8..ff0dbc4457 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 1eef8c58d2..3859197f3d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test Cortana for Power BI in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 3d96f92396..c319ce2fc7 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index d51d5c4c88..43fcd17368 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 2 - Perform a quick search with Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index b04d11d615..9813519fad 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 3 - Set a reminder for a specific location using Cortana at work
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index df57f9ca9d..dd43c46b35 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 4 - Use Cortana at work to find your upcoming meetings
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 8306c2143a..ccc50a9ebe 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 5 - Use Cortana to send email to a co-worker
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index 1274f67445..c553334d54 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 051d96937f..6b2b437b4e 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index 070192c8e0..2fa3e6637d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Testing scenarios using Cortana in your business or organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 0738115be9..2f73ac7fb5 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: eross-msft
ms.localizationpriority: high
+ms.author: lizross
---
# Set up and test custom voice commands in Cortana for your organization
diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index e87d834124..e26d7208df 100644
--- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -86,7 +86,7 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo
| --- | --- | --- |
| [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education |
| [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
-| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro, Enterprise, Education |
+| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Pro (1709 only), Enterprise, Education |
| [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education |
diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md
index af27cea5f0..3a1b160d46 100644
--- a/windows/configuration/wcd/wcd-applicationmanagement.md
+++ b/windows/configuration/wcd/wcd-applicationmanagement.md
@@ -7,13 +7,16 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# ApplicationManagement (Windows Configuration Designer reference)
Use these settings to manage app installation and management.
+>[!NOTE]
+>ApplicationManagement settings are not available in Windows 10, version 1709.
+
## Applies to
| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 201fc633e1..9c310df802 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# AssignedAccess (Windows Configuration Designer reference)
@@ -19,6 +19,7 @@ Use this setting to configure single use (kiosk) devices.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [AssignedAccessSettings](#assignedaccesssettings) | X | | | X | |
+| [MultiAppAssignedAccessSettings](#multiappassignedaccesssettings) | X | | | | |
## AssignedAccessSettings
@@ -30,6 +31,18 @@ Enter the account and the application you want to use for Assigned access, using
```
"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
```
+
+## MultiAppAssignedAccessSettings
+
+>[!NOTE]
+>MultiAppAssignedAccessSettings is supported on Windows 10, version 1709 only.
+
+Use this setting to configure a kiosk device that runs more than one app.
+
+1. [Create an assigned access configuration XML file for multiple apps.](../lock-down-windows-10-to-specific-apps.md)
+2. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**.
+3. Browse to and select the assigned access configuration XML file.
+
## Related topics
- [AssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/assignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-callandmessagingenhancement.md b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
index f3905fe8bc..0ccf7992cb 100644
--- a/windows/configuration/wcd/wcd-callandmessagingenhancement.md
+++ b/windows/configuration/wcd/wcd-callandmessagingenhancement.md
@@ -7,13 +7,16 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# CallAndMessagingEnhancement (Windows Configuration Designer reference)
Use to configure call origin and blocking apps.
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
new file mode 100644
index 0000000000..0b1d46a821
--- /dev/null
+++ b/windows/configuration/wcd/wcd-calling.md
@@ -0,0 +1,146 @@
+---
+title: Calling (Windows 10)
+description: This section describes the Calling settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# Calling (Windows Configuration Designer reference)
+
+Use to configure settings for Calling.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+
+## Branding
+
+See [Branding for phone calls](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
+
+## PartnerAppSupport
+
+See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
+
+## PerSimSettings
+
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click Add, and then configure the folowing settings.
+
+### Critical
+
+Setting | Description
+--- | ---
+MOSimFallbackVoicemailNumber | Partners who do not have the voicemail numbers on the device SIM can configure the voicemail number for their devices. If the voicemail number is not on the SIM and the registry key is not set, the default voicemail will not be set and the user will need to set the number. Set MOSimFallbackVoicemailNumber to the voicemail number that you want to use for the phone.
+SimOverrideVoicemailNumber | Mobile operators can override the voicemail number on the UICC with a different voicemail number that is configured in the registry. Set SimOverrideVoicemailNumber to a string that contains the digits of the voicemail number to use instead of the voicemail number on the UICC.
+
+
+### General
+
+Setting | Description
+--- | ---
+AllowVideoConferencing | Set as **True** to enable the ability to conference video calls.
+DefaultCallerIdSetting | Configure the default setting for caller ID. Select between `No one`, `Only contacts`, `Every one`, and `Network default`. If set to `Network default`, set `ShowCallerIdNetworkDefaultSetting` to **True**.
+DefaultEnableVideoCalling | Set as **True** to enable LTE video calling as the default setting.
+IgnoreMWINotifications | Set as **True** to configure the voicemail system so the phone ignores message waiting indicator (MWI) notifications.
+IgnoreUssdExclusions | Set as **True** to ignore Unstructured Supplementary Service Data (USSD) exclusions.
+ResetCallForwarding | When set to **True**, user is provided with an option to retry call forwarding settings query.
+ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID.
+ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen.
+SupressVideoCallingChargesDialog | Configure the phone settings CPL to supress the video calling charges dialog.
+UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values.
+WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed.
+
+
+
+## PhoneSettings
+
+Setting | Description
+--- | ---
+AssistedDialSetting | Turn off the international assist feature that helps users with the country codes needed for dialing international phone numbers.
+CallIDMatch | Sets the number of digits that the OS will try to match against contacts for Caller ID. For any country/region that doesn't exist in the default mapping table, mobile operators can use this legacy CallIDMatch setting to specify the minimum number of digits to use for matching caller ID.
+ContinuousDTMFEnabled | Enable DTMF tone duration for as long as the user presses a dialpad key.
+DisableVoicemailPhoneNumberDisplay | Disable the display of the voicemail phone number below the Voicemail label in call progress dialog.
+HideCallForwarding | Partners can hide the user option to turn on call forwarding. By default, users can decide whether to turn on call forwarding. Partners can hide this user option so that call forwarding is permanently disabled.
+ShowLongTones | Partners can make a user option visible that makes it possible to toggle between short and long DTMF tones, instead of the default continuous tones. By default, the phone supports Dual-Tone Multi-frequency (DTMF) with continuous tones. Partners can make a user option visible that makes it possible to toggle between short and long tones instead.
+UseOKForUssdDialogs | OEMs can change the button label in USSD dialogs from **Close** (the default) to **OK**.
+VoLTEAudioQualityString | Partners can add a string to the call progress screen to indicate if the active call is a high quality voice over LTE (VoLTE). Set the value of VoLTEAudioQualityString to the string that you want to display in the call progress screen to indicate that the call is a VoLTE call. This string is combined with the PLMN so if the string is "VoLTE", the resulting string is "PLMN_String VoLTE". For example, the string displayed in the call progress screen can be "Litware VoLTE" if the PLMN_String is "Litware". The value you specify for VoLTEAudioQualityString must exceed 10 characters.
+
+
+## SupplementaryServiceCodeOverrides
+
+See [Dialer codes for supplementary services](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
+
+## VoicemailRegistrationTable
+
+Configure these settings to customize visual voicemail in the Windows 10 Mobile UI. For settings and values, see [Visual voicemail](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/visual-voicemail).
+
+
+## List of USSD codes
+
+
+Codes | Description | DWORD Value
+--- | --- | ---
+04 | CHANGEPIN | 000000F4
+042 | CHANGEPIN2 | 00000F42
+05 | UNBLOCKPIN | 000000F5
+052 | UNBLOCKPIN2 | 00000F52
+03 | SSCHANGEPASSWORD | 000000F3
+75 | EMLPPBASE | 00000075
+750 | EMLPPLEVEL0 | 00000750
+751 | EMLPPLEVEL1 | 00000751
+752 | EMLPPLEVEL2 | 00000752
+753 | EMLPPLEVEL3 | 00000753
+754 | EMLPPLEVEL4 | 00000754
+66 | CALLDEFLECT | 00000066
+30 | CALLIDCLIP | 00000030
+31 | CALLIDCLIR | 00000031
+76 | CALLIDCOLP | 00000076
+77 | CALLIDCOLR | 00000077
+21 | FWDUNCONDITIONAL | 00000021
+67 | FWDBUSY | 00000067
+61 | FWDNOREPLY | 00000061
+62 | FWDNOTREACHABLE | 00000062
+002 | FWDALL | 00000FF2
+004 | FWDALLCONDITIONAL | 00000FF4
+43 | CALLWAITING | 00000043
+360 | UUSALL | 00000360
+361 | UUSSERVICE1 | 00000361
+362 | UUSSERVICE2 | 00000362
+363 | UUSSERVICE3 | 00000363
+33 | BARROUT | 00000033
+331 | BARROUTINTL | 00000331
+332 | BARROUTINTLEXTOHOME | 00000332
+35 | BARRIN | 00000035
+351 | BARRINROAM | 00000351
+330 | BARRALL | 00000330
+333 | BARRALLOUT | 00000333
+353 | BARRALLIN | 00000353
+354 | BARRINCOMINGINTERMEDIATE | 00000354
+96 | CALLTRANSFER | 00000096
+37 | CALLCOMPLETEBUSY | 00000037
+070 | PNP0 | 00000F70
+071 | PNP1 | 00000F71
+072 | PNP2 | 00000F72
+073 | PNP3 | 00000F73
+074 | PNP4 | 00000F74
+075 | PNP5 | 00000F75
+076 | PNP6 | 00000F76
+077 | PNP7 | 00000F77
+078 | PNP8 | 00000F78
+079 | PNP9 | 00000F79
+300 | CALLCNAP | 00000300
+591 | MSP1 | 00000591
+592 | MSP2 | 00000592
+593 | MSP3 | 00000593
+594 | MSP4 | 00000594
+
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
new file mode 100644
index 0000000000..57347d1878
--- /dev/null
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -0,0 +1,436 @@
+---
+title: CellCore (Windows 10)
+description: This section describes the CellCore settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# CellCore (Windows Configuration Designer reference)
+
+Use to configure settings for cellular data.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+ Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core
+ --- | :---: | :---: | :---: | :---: | :---:
+ PerDevice: [CellConfigurations](#cellconfigurations) | | X | | |
+ PerDevice: [CellData](#celldata) CellularFailover | X | X | | |
+ PerDevice: [CellData](#celldata) MaxNumberOfPDPContexts | | X | | |
+ PerDevice: [CellData](#celldata) ModemProfiles | | X | | |
+ PerDevice: [CellData](#celldata) PersistAtImaging | | X | | |
+ PerDevice: [CellUX](#cellux) | | X | | |
+ PerDevice: [CGDual](#cgdual) | | X | | |
+ PerDevice: [eSim](#esim) | X | X | | |
+ PerDevice: [External](#external) | | X | | |
+ PerDevice: [General](#general) | | X | | |
+ PerDevice: [RCS](#rcs) | | X | | |
+ PerDevice: [SMS](#sms) | X | X | | |
+ PerDevice: [UIX](#uix) | | X | | |
+ PerDevice: [UTK](#utk) | | X | | |
+ PerlMSI: [CellData](#celldata2) | | X | | |
+ PerIMSI: [CellUX](#cellux2) | | X | | |
+ PerIMSI: [General](#general2) | | X | | |
+ PerIMSI: [RCS](#rcs2) | | X | | |
+ PerIMSI: [SMS](#sms2) | X | X | | |
+ PerIMSI: [UTK](#utk2) | | X | | |
+ PerIMSI: [VoLTE](#volte) | | X | | |
+
+
+## PerDevice
+
+### CellConfigurations
+
+
+
+1. In **CellConfiguration** > **PropertyGroups**, enter a name for the property group.
+2. Select the **PropertyGroups** you just created in the **Available customizations** pane and then enter a **PropertyName**.
+3. Select the **PropertyName** you just created in the **Available customizations** pane, and then select one of the following data types for the property:
+ - Binary
+ - Boolean
+ - Integer
+ - String
+4. The data type that you selected is added in **Available customizations**. Select it to enter a value for the property.
+
+### CellData
+
+Setting | Description
+--- | ---
+CellularFailover | Allow or disallow cellular data failover when in limited Wi-Fi connectivity. By default, if the phone is connected to a Wi-Fi network and the data connection to a site is unsuccessful due to limited Wi-Fi connectivity, the phone will complete the connection to the site using available cellular data networks (when possible) to provide an optimal user experience. When the customization is enabled, a user option to use or not use cellular data for limited Wi-Fi connectivity becomes visible in the **Settings** > **cellular+SIM** screen. This option is automatically set to **don’t use cellular data** when the customization is enabled.
+MaxNumberOfPDPContexts | Set a maximum value (1 through 4, inclusive, or 0x1 through 0x4 hexadecimal) for the number of simultaneous packet data protocol (PDP) contexts for 3GPP connections. By default, the OS enforces a maximum of four (4) simultaneous packet data protocol (PDP) contexts for 3GPP connections, and one (1) PDP context for 3GPP2 connections. You can set a different maximum value if required by their mobile operator. The same maximums apply for both roaming and non-roaming scenarios. This maximum does not include packet contexts used internally by the modem.
+ModemProfiles > LTEAttachGuids | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+PersistAtImaging > DisableAoAc | Enable or disable Always-on/Always-connected (AoAc) on the WWAN adapter.
+
+
+### CellUX
+
+Setting | Description
+--- | ---
+APNAuthTypeDefault | Select between **Pap** and **Chap** for default APN authentication type.
+APNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default APN IP type.
+Critical > ShowVoLTEToggle | Select **Yes** to show the VoLTE toggle in the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to hide the toggle.
+Disable2GByDefault | Select **Yes** to disable 2G by default. Select **No** to enable 2G.
+Disabled2GNoticeDescription | Enter text to customize the notification for disabled 2G.
+GenericWifiCallingErrorMessage | Enter text to customize the generic error message when a Wi-Fi calling error occurs.
+Hide3GPP2ModeSelection | Select **Yes** to hide the **CDMA** option in the network **Mode** selection drop-down menu. Select **No** to show the **CDMA** option.
+Hide3GPP2Selection | For 3GPP2 or CDMA phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM** settings screen. Select **No** to show **Network Type**.
+Hide3GPPNetworks | For 3GPP or GSM phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM settings** screen. Select **No** to show **Network Type**.
+HideAPN | Select **Yes** to hide the **add internet APN** button in the **SIM settings** screen. Select **No** to show **add internet APN**.
+HideAPNAuthType | Select **Yes** to hide the APN authentication selector. Select **No** to show the APN authentication selector.
+HideAPNIPType | Select **Yes** to hide the **IP type** list in the **internet APN** settings screen. Select **No** to show **IP type**.
+HideDisabled2GNotice | Select **Yes** to hide the notification for disabled 2G. Select **No** to show the notification for disabled 2G.
+HideHighestSpeed | Select **Yes** to hide the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show **Highest connection speed**.
+HideHighestSpeed2G | Select **Yes** to hide the 2G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 2G option.
+HideHighestSpeed3GOnly | Select **Yes** to hide the 3G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 3G option.
+HideHighestSpeed4G | Select **Yes** to hide the 4G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G option.
+HideHighestSpeed4G3GOnly | Select **Yes** to hide the 4G or 3G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G or 3G Only option.
+HideHighestSpeed4GOnly | Select **Yes** to hide the 4G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G Only option.
+HideLTEAttachAPN | Select **Yes** to hide the **LTE attach APN** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **LTE attach APN** button.
+HideMMSAPN | Select **Yes** to hide the **add mms apn** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **add mms apn** button.
+HideMMSAPNAuthType | Select **Yes** to hide the APN authentication type selector on the MMS APN page. Select **No** to show APN authentication selector.
+HideMMSAPNIPType | Select **Yes** to hide the APN IP type selector on the MMS APN page. Select **No** to show the APN IP type selector.
+HideModeSelection | Select **Yes** to hide the **Network Mode selection** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **Network Mode selection**.
+HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI.
+HighestSpeed2G | You can customize the listed names of the connection speeds with their own character codes. To modify "2G" to another character code, change the value of HighestSpeed2G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3G | You can customize the listed names of the connection speeds with their own character codes. To modify "3G" to another character code, change the value of HighestSpeed3G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Only" to another character code, change the value of HighestSpeed3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GPreferred | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Preferred" to another character code, change the value of HighestSpeed3GPreferred. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G | You can customize the listed names of the connection speeds with their own character codes. To modify "4G" to another character code, change the value of HighestSpeed4G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G or 3G Only" to another character code, change the value of HighestSpeed4G3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G Only" to another character code, change the value of HighestSpeed4GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeedTitle | You can customize the **Highest connection speed** drop-down label in the **Settings** > **Cellular+SIM** > **SIM** settings page. To change the Highest connection speed drop-down label, set HighestSpeedTitle to another string. For example, you can set this to "Preferred connection speed".
+IsATTSpecific | Control the roaming text for AT&T devices. AT&T requires the phone to show a particular roaming text to meet their legal and marketing guidelines. By default, if the user chooses **roam** under **Data roaming options** in the **Settings** > **Cellular+SIM** screen, they will see the following text: *Depending on your service agreement, you might pay more when using data roaming.* If you set IsATTSpecific to **Yes**, the following roaming text will be displayed instead: *International data roaming charges apply for data usage outside the United States, Puerto Rico, and United States Virgin Islands. Don’t allow roaming to avoid international data roaming charges.*
+LTEAttachGUID | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+MMSAPNAuthTypeDefault | Select between **Pap** and **Chap** for default MMS APN authentication type.
+MMSAPNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default MMS APN IP type.
+ShowExtendedRejectCodes | When a reject code is sent by the network, partners can specify that extended error messages should be displayed instead of the standard simple error messages. This customization is only intended for use when required by the mobile operator’s network. The short versions of the extended reject message are shown in the following screens:- Phone tile in Start- Call History screen- Dialer- Call Progress screen- Incoming Call screen- As the status string under Settings > cellular+SIMThe long version of the extended reject message is shown under the Active Network label in **Settings** > **cellular+SIM**. Select **Yes** to show the extended error message. Select **No** to hide the extended error message. See [Error messages for reject codes](#errorreject) to see the versions of the message.
+ShowHighestSpeed3GPreferred | Select **Yes** to show the **3G Preferred** option in the **Highest connection speed** drop-down menu. Select **No** to hide **3G Preferred**.
+ShowManualAvoidance | Select **Yes** to show the **Switch to next network manually** button in SIM settings when Mode Selection is CDMA on a C+G dual SIM phone. Select **No** to hide the **Switch to next network manually** button
+ShowPreferredPLMNPage | Select **Yes** to show the preferred public land mobile network (PLMN) page in SIM settings.
+ShowSpecificWifiCallingError | Select **Yes** to show a specific error message based on operator requirements.
+ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**.
+ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning.
+ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
+SuppressDePersoUI | Select **Yes** to hide the perso unlock UI.
+
+
+### CGDual
+
+Use **CGDual** > **RestrictToGlobalMode** to configure settings for global mode on C+G Dual SIM phones. When the device registration changes, if the value for this setting is set, the OS changes the preferred system type to the default preferred system type for world mode. If the phone is not camped on any network, the OS assumes the phone is on the home network and changes the network registration preference to default mode.
+
+Select from the following:
+
+- RestrictToGlobalMode_Disabled: the phone is not restricted to global mode.
+- RestrictToGlobalMobe_Home: when a slot is registered at home and supports global mode, the mode selection is restricted to global mode.
+- RestrictToGlobalMode_Always: if a slot supports global mode and this value is selected, the mode selection is restricted to global mode.
+
+### eSim
+
+Configure **FwUpdate** > **AllowedAppIdList** to whitelist apps that are allowed to update the firmware. Obtain the app IDs from the card vendor.
+
+### External
+
+Setting | Description
+--- | ---
+CallSupplementaryService > OTASPNonStandardDialString | Enter a list of all desired non-standard OTASP dial strings.
+CarrierSpecific > FallBackMode | Select between **GWCSFB** and **1xCSFB** for fallback mode.
+CarrierSpecific > VZW > ActSeq | Enables activation for 4G VZW card. Do not configure this setting for non-VZW devices.
+EnableLTESnrReporting | Select between **Use only RSRP** and **Use both RSRP and ECNO** to check if SNR needs to be used for LTE Signal Quality calculations.
+EnableUMTSEcnoReporting | Select between **Use only RSSI** and **Use both RSSI and SNR** to check if SNR needs to be used for UMTS Signal Quality calculations.
+ImageOnly > ERI > AlgorithmMBB0 | Select between **Sprint** and **Verizon** to specify the ERI algorithm in MBB for subscription 0.
+ImageOnly > ERI > AlgorithmMBB1 | Select between **Sprint** and **Verizon** to specify the ERI algorithm in MBB for subscription 1.
+ImageOnly > ERI > AlgorithmWmRil | Select between **Sprint** and **Verizon** to specify the ERI-based notification algorithm.
+ImageOnly > ERI > DataFileNameWmRil | Specify the location of the ERI file on the device; for example, `C:\Windows\System32\SPCS_en.eri`. *SPCS_en.eri* is a placeholder. Obtain the ERI file name from the mobile operator and replace this filename with it.
+ImageOnly > ERI > EnabledWmRil | Enable or disable ERI-based notifications.
+ImageOnly > ERI > ERIDataFileNameMBB0 | Specify the ERI data file name with international roaming list for Verizon in MBB for subscription 0.
+ImageOnly > ERI > ERIDataFileNameMBB1 | Specify the ERI data file name with international roaming list for Verizon in MBB for subscription 1.
+ImageOnly > ERI > ERISprintIntlRoamDataFileNameMBB0 | Specify the ERI data file name with international roaming list for Sprint in MBB for subscription 0.
+ImageOnly > ERI > ERISprintIntlRoamDataFileNameMBB1 | Specify the ERI data file name with international roaming list for Sprint in MBB for subscription 1.
+ImageOnly > ERI > SprintInternationalERIValuesWmRil | Specify the international ERI values for Sprint as `to 4A,7C,7D,7E,9D,9E,9F,C1,C2,C3,C4,C5,C6,E4,E5,E6,E7,E8.`.
+ImageOnly > MTU > DormancyTimeout0 | Enter the number of milliseconds to wait after dormancy hint before telling the modem to make the air interface dormant for subscription 0. Minimum value is 1703, and maximum value is 5000.
+ImageOnly > MTU > DormancyTimeout1 | Enter the number of milliseconds to wait after dormancy hint before telling the modem to make the air interface dormant for subscription 1. Minimum value is 1703, and maximum value is 5000.
+ImageOnly > MTU > MTUDataSize | Customize the TCP maximum segment size (MSS) by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
+ImageOnly > MTU > RoamingMTUDataSize | Customize the TCP maximum segment size (MSS) for roaming by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it for roaming by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
+ImageOnly > SuppressNwPSDetach | Configure whether to suppress reporting of network-initiated PS detach (appear attached to OS) until deregistered.
+SignalBarMapping Table | You can modify the percentage values used for the signal strength in the status bar per filter. For details, see [Custom percentages for signal strength bars](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/custom-percentages-for-signal-strength-bars).
+SRVCCAutoToggleWmRil | Configure whether to link SRVCC to VOLTE on/off.
+
+
+
+### General
+
+Setting | Description
+--- | ---
+atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:- **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
+atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:- **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator. - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator.
+AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network.
+CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk, to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk, to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone.
+DefaultSlotAffinity | Set the data connection preference for:- **SlotAffinityForInternetData_Automatic**: data connection preference is automatically set- **SlotAffinityForInternetData_Slot0**: sets the data connection preference to Slot 0. The data connection cannot be edited by the user.- **SlotAffinityForInternetData_Slot1**: Sets the data connection preference to Slot 1. The data connection cannot be edited by the user.
+DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming.
+DisableSystemTypeSupport | Enter the system types to be removed.
+DTMFOffTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), of the pause between DTMF digits. For example, a value of 120 specifies 0.12 seconds.
+DTMFOnTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), to generate the DTMF tone when a key is pressed. For example, a value of 120 specifies 0.12 seconds.
+ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`).
+ExcludedSystemTypesPerOperator | Exclude specified system types from SIM cards that match the MCC:MNC pairs listed in **OperatorListForExcludedSystemTypes**. This setting is used only for China. Set the value to match the system type to be excluded. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx). For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, the ExcludedSystemTypesPerOperator value must be set to 0x18 to limit the matching MCC:MNC pairs to 2G.
+LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE.
+LTEForced | Select **Yes** to force LTE.
+ManualNetworkSelectionTimeout | Set the default network selection timeout value, in a range of 1-600 seconds. By default, the OS allows the phone to attempt registration on the manually selected network for 60 seconds (or 1 minute) before it switches back to automatic mode. This value is the amount of time that the OS will wait for the modem to register on the manually selected network. If the time lapses and the modem was not able to register on the network that was manually selected by the user, the OS will either switch back to the automatic network selection mode if Permanent automatic mode is enabled, and the user has manually selected a network or the modem was turned on, or display a dialog that notifies the user that the phone was unable to connect to the manually selected network after the phone was turned on or after airplane mode was turned off.
+NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:- system type 4: 2G (GSM)- system type 8: 3G (UMTS)- system type 16: LTE- system type 32: 3G (TS-SCDMA)Select the system type that you added, and enter the network name and suffix that you want displayed.
+NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`.
+OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030.
+OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.
+PreferredDataProviderList | OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator. For mobile operators that require it, OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator so that it can be set as the default data line for phones that have a dual SIM. When the PO SIM is inserted into the phone, the OS picks the PO SIM as the data line and shows a notification to the user that the SIM has been selected for Internet data. If two PO SIMs are inserted, the OS will choose the first PO SIM that was detected as the default data line and the mobile operator action required dialogue (ARD) is shown. If two non-PO SIMs are inserted, the user is prompted to choose the SIM to use as the default data line. Note OEMs should not set this customization unless required by the mobile operator. To enumerate the MCC/MNC value pairs to use for data connections, set the value for **PreferredDataProviderList**. The value must be a comma-separated list of preferred MCC:MNC values. For example, the value can be 301:026,310:030 and so on.
+Slot2DisableAppsList | Disable specified apps from slot 2 on a C+G dual SIM phone. To disable a list of specified apps from Slot 2, set Slot2DisableAppsList to a comma-separated list of values representing the apps. For example, `4,6`.
+Slot2ExcludedSystemTypes | Exclude specified system types from SIM cards inserted in Slot 2. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can restrict the second slot in a dual-SIM phone regardless of what apps or executor mapping the second slot is associated with. Note This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To allow an operator to simply restrict the second slot in a dual SIM phone regardless of what apps or executor mapping the second slot is associated with, set the value of Slot2ExcludedSystemTypes to the system types to be excluded from the SIM cards inserted in Slot 2. For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, any SIM inserted in Slot 2 will be limited to 2G. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx).
+SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.
+SuggestGlobalModeARD | Define whether Global Mode is suggested on a C+G dual SIM phone.
+SuggestGlobalModeTimeout | To specify the number of seconds to wait for network registration before suggesting global mode, set SuggestGlobalModeTimeout to a value between 1 and 600, inclusive. For example, to set the timeout to 60 seconds, set the value to 60 (decimal) or 0x3C (hexadecimal).
+
+### RCS
+
+Setting | Description
+--- | ---
+SystemEnabled | Select **Yes** to specify that the system is RCS-enabled.
+UserEnabled | Select **Yes** to show the user setting if RCS is enabled on the device.
+
+### SMS
+
+Setting | Description
+--- | ---
+AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver.
+DefaultMCC | Set the default mobile country code (MCC).
+Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)
+Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms).
+Encodings > OctetEncodingPage | Set the octet (binary) encoding.
+Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding.
+Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.
+Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language).
+IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation.
+MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds.
+SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message.
+SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message.
+SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message.
+Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**.
+Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH.
+Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type.
+
+### UIX
+
+Setting | Description
+--- | ---
+SIM1ToUIM1 | Used to show UIM1 as an alternate string instead of SIM1 for the first SIM on C+G dual SIM phones.
+SIMToSIMUIM | Partners can change the string "SIM" to "SIM/UIM" to accommodate scenarios such as Dual Mode cards of SIM cards on the phone. This can provide a better user experience for users in some markets. Enabling this customization changes all "SIM" strings to "SIM/UIM".
+
+
+
+### UTK
+
+Setting | Description
+--- | ---
+UIDefaultDuration | Specifies the default time, in milliseconds, that the DISPLAY TEXT, GET INKEY, PLAY TONE, or SELECT ITEM dialog should be displayed. The default value is 60000 milliseconds (60 seconds). The valid value range is 1-120000.
+UIGetInputDuration | Specifies the default time, in milliseconds, that the GET INPUT dialog should be displayed. The default value is 120000 milliseconds (120 seconds). The valid value range is 1-120000.
+
+
+
+
+## PerlMSI
+
+Enter an IMSI, click **Add**, and then select the IMSI that you added to configure the following settings.
+
+
+### CellData
+
+Setting | Description
+--- | ---
+MaxNumberOfPDPContexts | OEMs can set a maximum value for the number of simultaneous packet data protocol (PDP) contexts for 3GPP connections. By default, the OS enforces a maximum of four (4) simultaneous packet data protocol (PDP) contexts for 3GPP connections, and one (1) PDP context for 3GPP2 connections. OEMs can set a different maximum value if required by their mobile operator. The same maximums apply for both roaming and non-roaming scenarios. This maximum does not include packet contexts used internally by the modem.
+
+
+
+### CellUX
+
+Setting | Description
+--- | ---
+APNIPTypeIfHidden | Used to set the default IP type shown in the **IP type** listbox on the **internet APN** settings screen.
+Critical > ShowVoLTERoaming | Use to show the IMS roaming control in the cellular settings page
+Critical > ShowVoLTEToggle | Show or hide VoLTE toggle.
+Critical > SwitchIMS | Switch IMS on or off with a toggle. OEMs can configure the default settings and toggle for IMS services to meet mobile operator requirements. Users can later manually change the default values for these settings if they choose to do so.
+Critical > SwitchSMSOverIMS | Switch SMS over IMS on or off when VoLTE is toggled.
+Critical > SwitchVideoOverIMS | Use to switch video over IMS when VoLTE is switched.
+Critical > SwitchVoiceOverIMS | Switch voice over IMS when VoLTE is toggled.
+Critical > SwitchXCAP | Use to switch the XML Configuration Access Protocol (XCAP) when VoLTE is enabled.
+Critical > VoLTERoamingOffDescription | Use to customize the description string that appears under IMS roaming control when IMS roaming is turned off. The string must not be longer than 127 characters.
+Critical > VoLTERoamingOnDescription | Use to customize the description string that appears under IMS roaming control when IMS roaming is turned on. The string must not be longer than 127 characters.
+Critical > VoLTERoamingSettingDisableDuringCall | Use to specify whether to grey out VoLTE roaming settings during an active VoLTE call.
+Critical > VoLTERoamingTitle | Use to customize the description string for the IMS roaming control. The string must not be longer than 127 characters.
+Critical > VoLTESectionTitle | Use to customize the section title for the IMS settings. he string must not be longer than 127 characters.
+Critical > VoLTESettingDisableDuringCall | Use to specify whether to grey out VoLTE-related settings during an active VoLTE call.
+Critical > VoLTEToggleDescription | Use to customize the VoLTE toggle description. To customize the VoLTE toggle description, set VoLTEToggleDescription to the name of the resource-only .dll file, specifying the string offset. For example: @DisplayStrings.dll,-101.
+Critical > VoLTEToggleSettingDisableDuringCall | Use to specify whether to grey out the VoLTE toggle during an active VoLTE call.
+Critical > VoLTEToggleTitle | Use to customize the VoLTE toggle label. To customize the VoLTE toggle label, set VoLTEToggleTitle to the name of the resource-only .dll file, specifying the string offset. For example: @DisplayStrings.dll,-102.
+Critical > WFCSettingDisableDuringCall | Use to specify whether to grey out the Wi-Fi calling settings during an active VoLTE call.
+Disable2GByDefault | Select **Yes** to disable 2G by default. Select **No** to enable 2G.
+Disabled2GNoticeDescription | Enter text to customize the notification for disabled 2G.
+GenericWifiCallingErrorMessage | Enter text to customize the generic error message when a Wi-Fi calling error occurs.
+Hide3GPP2ModeSelection | Select **Yes** to hide the **CDMA** option in the network **Mode** selection drop-down menu. Select **No** to show the **CDMA** option.
+Hide3GPP2Selection | For 3GPP2 or CDMA phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM** settings screen. Select **No** to show **Network Type**.
+Hide3GPPNetworks | For 3GPP or GSM phones, select **Yes** to hide the **Network Type** drop-down menu in the **SIM settings** screen. Select **No** to show **Network Type**.
+HideAPN | Select **Yes** to hide the **add internet APN** button in the **SIM settings** screen. Select **No** to show **add internet APN**.
+HideAPNIPType | Select **Yes** to hide the **IP type** list in the **internet APN** settings screen. Select **No** to show **IP type**.
+HideDisabled2GNotice | Select **Yes** to hide the notification for disabled 2G. Select **No** to show the notification for disabled 2G.
+HideHighestSpeed | Select **Yes** to hide the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show **Highest connection speed**.
+HideHighestSpeed2G | Select **Yes** to hide the 2G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 2G option.
+HideHighestSpeed3GOnly | Select **Yes** to hide the 3G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 3G option.
+HideHighestSpeed4G | Select **Yes** to hide the 4G option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G option.
+HideHighestSpeed4G3GOnly | Select **Yes** to hide the 4G or 3G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G or 3G Only option.
+HideHighestSpeed4GOnly | Select **Yes** to hide the 4G Only option on the **Highest connection speed** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the 4G Only option.
+HideLTEAttachAPN | Select **Yes** to hide the **LTE attach APN** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **LTE attach APN** button.
+HideMMSAPN | Select **Yes** to hide the **add mms apn** button on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **add mms apn** button.
+HideMMSAPNIPType | Select **Yes** to hide the APN IP type selector on the MMS APN page. Select **No** to show the APN IP type selector.
+HideModeSelection | Select **Yes** to hide the **Network Mode selection** drop-down menu on the **Settings** > **Cellular+SIM** > **SIM** settings page. Select **No** to show the **Network Mode selection**.
+HidePersoUnlock | Select **Yes** to hide the Perso unlock UI. Select **No** to show the Perso unlock UI.
+HighestSpeed2G | You can customize the listed names of the connection speeds with their own character codes. To modify "2G" to another character code, change the value of HighestSpeed2G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3G | You can customize the listed names of the connection speeds with their own character codes. To modify "3G" to another character code, change the value of HighestSpeed3G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Only" to another character code, change the value of HighestSpeed3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed3GPreferred | You can customize the listed names of the connection speeds with their own character codes. To modify "3G Preferred" to another character code, change the value of HighestSpeed3GPreferred. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G | You can customize the listed names of the connection speeds with their own character codes. To modify "4G" to another character code, change the value of HighestSpeed4G. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4G3GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G or 3G Only" to another character code, change the value of HighestSpeed4G3GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeed4GOnly | You can customize the listed names of the connection speeds with their own character codes. To modify "4G Only" to another character code, change the value of HighestSpeed4GOnly. Although there is no limit to the number of characters you can use, if the character code is too long, it will be truncated in the UI.
+HighestSpeedTitle | You can customize the **Highest connection speed** drop-down label in the **Settings** > **Cellular+SIM** > **SIM** settings page. To change the Highest connection speed drop-down label, set HighestSpeedTitle to another string. For example, you can set this to "Preferred connection speed".
+IsATTSpecific | Control the roaming text for AT&T devices. AT&T requires the phone to show a particular roaming text to meet their legal and marketing guidelines. By default, if the user chooses **roam** under **Data roaming options** in the **Settings** > **Cellular+SIM** screen, they will see the following text: *Depending on your service agreement, you might pay more when using data roaming.* If you set IsATTSpecific to **Yes**, the following roaming text will be displayed instead: *International data roaming charges apply for data usage outside the United States, Puerto Rico, and United States Virgin Islands. Don’t allow roaming to avoid international data roaming charges.*
+LTEAttachGUID | Set the value for LTEAttachGuid to the OemConnectionId GUID used for the LTE attach profile in the modem. The value is a GUID in the string format *XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX*.
+MMSAPNIPTypeIfHidden | Select between **IPV4**, **IPV6**, **IPV4V6**, and **IPV4V6XLAT** for default MMS APN IP type.
+ShowExtendedRejectCodes | When a reject code is sent by the network, partners can specify that extended error messages should be displayed instead of the standard simple error messages. This customization is only intended for use when required by the mobile operator’s network. The short versions of the extended reject message are shown in the following screens:- Phone tile in Start- Call History screen- Dialer- Call Progress screen- Incoming Call screen- As the status string under Settings > cellular+SIMThe long version of the extended reject message is shown under the Active Network label in **Settings** > **cellular+SIM**. Select **Yes** to show the extended error message. Select **No** to hide the extended error message. See [Error messages for reject codes](#errorreject) to see the versions of the message.
+ShowHighestSpeed3GPreferred | Select **Yes** to show the **3G Preferred** option in the **Highest connection speed** drop-down menu. Select **No** to hide **3G Preferred**.
+ShowManualAvoidance | Select **Yes** to show the **Switch to next network manually** button in SIM settings when Mode Selection is CDMA on a C+G dual SIM phone. Select **No** to hide the **Switch to next network manually** button
+ShowPreferredPLMNPage | Select **Yes** to show the preferred public land mobile network (PLMN) page in SIM settings.
+ShowSpecificWifiCallingError | Select **Yes** to show a specific error message based on operator requirements.
+ShowViewAPN | Select **Yes** to show the **View Internet APN** button in **Settings** > **cellular+SIM**.
+ShowWifiCallingEmergencyCallWarning | Select **Yes** to show Wi-Fi emergency call warning.
+ShowWifiCallingError | Select **Yes** to show Wi-Fi calling error message.
+
+
+
+
+
+### General
+
+Setting | Description
+--- | ---
+atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:- **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.- **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
+atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:- **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator. - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator.
+AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network.
+CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`.
+CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone.
+Critical > MultivariantProvisionedSPN | Used to change the default friendly SIM names in dual SIM phones. By default, the OS displays SIM 1 or SIM 2 as the default friendly name for the SIM in slot 1 or slot 2 if the service provider name (SPN) or mobile operator name has not been set. Partners can use this setting to change the default name read from the SIM to define the SPN for SIM cards that do not contain this information or to generate the default friendly name for the SIM. The OS uses the default value as the display name for the SIM or SPN in the Start screen and other parts of the UI including the SIM settings screen. For dual SIM phones that contain SIMs from the same mobile operator, the names that appear in the UI may be similar. See [Values for MultivariantProvisionedSPN](#spn).
+Critical > SimNameWithoutMSISDNENabled | Use this setting to remove the trailing MSISDN digits from the service provider name (SPN) in the phone UI. By default, the OS appends the trailing MSISDN digits to the service provider name (SPN) in the phone UI, including on the phone and messaging apps. If required by mobile operators, OEMs can use the SimNameWithoutMSISDNEnabled setting to remove the trailing MSISDN digits. However, you must use this setting together with **MultivariantProvisionedSPN** to suppress the MSISDN digits.
+DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming.
+ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`).
+LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE.
+LTEForced | Select **Yes** to force LTE.
+NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:- system type 4: 2G (GSM)- system type 8: 3G (UMTS)- system type 16: LTE- system type 32: 3G (TS-SCDMA)Select the system type that you added, and enter the network name and suffix that you want displayed.
+NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`.
+OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030.
+OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.
+SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.
+
+
+
+
+
+
+
+### RCS
+
+See descriptions in Windows Configuration Designer.
+
+
+
+
+### SMS
+
+Setting | Description
+--- | ---
+AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver.
+DefaultMCC | Set the default mobile country code (MCC).
+Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:- Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)- Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction)
+Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms).
+Encodings > OctetEncodingPage | Set the octet (binary) encoding.
+Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding.
+Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding.
+Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language).
+IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation.
+MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds.
+SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message.
+SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message.
+SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message.
+Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**.
+Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH.
+Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**.
+Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type.
+
+
+
+### UTK
+
+Setting | Description
+--- | ---
+UIDefaultDuration | Specifies the default time, in milliseconds, that the DISPLAY TEXT, GET INKEY, PLAY TONE, or SELECT ITEM dialog should be displayed. The default value is 60000 milliseconds (60 seconds). The valid value range is 1-120000.
+UIGetInputDuration | Specifies the default time, in milliseconds, that the GET INPUT dialog should be displayed. The default value is 120000 milliseconds (120 seconds). The valid value range is 1-120000.
+
+
+### VoLTE
+
+Setting | Description
+--- | ---
+IMSOMADMServices | Allows configuration of OMA DM Services Mask. The value is mapped directly to RIL_IMS_NW_ENABLED_FLAGS on the modem side. To configure the OMA DM services mask, set the IMSOMADMServices setting to one of the following values:- None, Flag: 0, Bitmask: 00000- OMA DM, Flag: 1, Bitmask: 00001- Voice, Flag: 2, Bitmask: 00010- Video, Flag: 4, Bitmask: 00100- EAB presence, Flag: 8, Bitmask: 01000- Enable all services, Flag: 15, Bitmask: 10000
+IMSServices | Identifies which IMS services are enabled (if any). The value is any combination of flags 1 (IMS), 2 (SMS over IMS), 4 (Voice over IMS) and 8 (Video Over IMS). Set the value for the IMSServices setting to any combination of the following flags or bitmasks:- IMS, Flag: 1, Bitmask: 0001- SMS over IMS, Flag: 2, Bitmask: 0010- Voice over IMS, Flag: 4, Bitmask: 0100Video over IMS, Flag: 8, Bitmask: 1000
+
+
+
+## Error messages for reject codes
+
+
+Reject code | Extended error message | Short error message
+--- | --- | ---
+2 (The SIM card hasn't been activated or has been deactivated) | SIM not set up MM#2 | Invalid SIM
+3 (The SIM card fails authentication or one of the identity check procedures. This can also happen due to a duplication of the TMSI across different MSCs.) | Can't verify SIM MM#3 | Invalid SIM
+6 (The device has been put on a block list, such as when the phone has been stolen or the IMEI is restricted.) | Phone not allowed MM#6 | No service
+
+
+## Values for MultivariantProvisionedSPN
+
+Set the MultivariantProvisionedSPN value to the name of the SPN or mobile operator.
+
+The following table shows the scenarios supported by this customization:
+
+>[!NOTE]
+>In the Default SIM name column:
+>
+>- The " " in MultivariantProvisionedSPN" "1234 means that there is a space between the mobile operator name or SPN and the last 4 digits of the MSISDN.
+>- MultivariantProvisionedSPN means the value that you set for the MultivariantProvisionedSPN setting.
+>- SIM 1 or SIM 2 is the default friendly name for the SIM in slot 1 or slot 2.
+
+
+Multivariant setting set?|SPN provisioned?|MSISDN (last 4 digits: 1234, for example) provisioned?|Default SIM name
+Yes|Yes|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234
+Yes|No|No|*MultivariantProvisionedSPN* (up to 16 characters)
+Yes|Yes|No|*MultivariantProvisionedSPN* (up to 16 characters)
+Yes|No|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "1234
+No|Yes|Yes|If SPN string >= 12: *SPN*1234If SPN string < 12: *SPN*" "1234
+No|No|No|*SIM 1* or *SIM 2*
+No|Yes|No|SPN (up to 16 characters)
+No|No|Yes|*SIM 1* or *SIM 2*
+
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index 7ea42d279d..15ff4cbc51 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -7,21 +7,22 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Cellular (Windows Configuration Designer reference)
Use to configure settings for cellular connections.
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| [AccountExperienceURL](#accountexperienceurl) | X | | | | |
-| [AppID](#appid) | X | | | | |
-| [NetworkBlockList](#networkblocklist) | X | | | | |
-| [SIMBlockList](#simblocklist) | X | | | | |
+| All settings | X | | | | |
+
To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it.
@@ -34,10 +35,27 @@ Enter the URL for the mobile operator's web page.
Enter the AppID for the mobile operator's app in Microsoft Store.
+## BrandingIcon
+
+Browse to and select an .ico file.
+
+## BrandingIconPath
+
+Enter the destination path for the BrandingIcon .ico file.
+
+## BrandingName
+
+Enter the service provider name for the mobile operator.
+
## NetworkBlockList
Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
## SIMBlockList
-Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
\ No newline at end of file
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
+
+
+## UseBrandingNameOnRoaming
+
+Select an option for displaying the BrandingName when the device is roaming.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 98fdd61592..a996e19cfc 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Connections (Windows Configuration Designer reference)
@@ -18,10 +18,8 @@ Use to configure settings related to various types of phone connections.
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| [Cellular](#cellular) | X | X | X | X | |
-| [EnterpriseAPN](#enterpriseapn) | X | X | X | X | |
-| [Policies](#policies) | X | X | X | X | |
-| [Proxies](#proxies) | X | X | X | X | |
+| All settings | X | X | X | X | |
+
For each setting group:
1. In **Available customizations**, select the setting group (such as **Cellular**), enter a friendly name for the connection, and then click **Add**.
@@ -36,6 +34,10 @@ See [CM_CellularEntries configuration service provider (CSP)](https://msdn.micro
See [Configure cellular settings for tablets and PCs](https://docs.microsoft.com/windows/configuration/provisioning-apn) and
[EnterpriseAPN CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseapn-csp) for settings and values.
+## General
+
+Use **General > DataRoam** to set the default value for the **Default roaming options** option in the **Settings > cellular + SIM** area on the device. Select between **DoNotRoam**, **DomesticRoaming**, or **InternationalRoaming**.
+
## Policies
See [CMPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cmpolicy-csp) for settings and values.
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index 6f954aec14..097f2e9273 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -1,5 +1,5 @@
---
-title: DesktopBackgrounAndColors (Windows 10)
+title: DesktopBackgroundAndColors (Windows 10)
description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,7 +10,7 @@ ms.author: jdecker
ms.date: 08/21/2017
---
-# DesktopBackgrounAndColors (Windows Configuration Designer reference)
+# DesktopBackgroundAndColors (Windows Configuration Designer reference)
Do not use. Instead, use the [Personalization settings](wcd-personalization.md).
diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md
new file mode 100644
index 0000000000..28e15ade95
--- /dev/null
+++ b/windows/configuration/wcd/wcd-deviceinfo.md
@@ -0,0 +1,64 @@
+---
+title: DeviceInfo (Windows 10)
+description: This section describes the DeviceInfo settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# DeviceInfo (Windows Configuration Designer reference)
+
+Use to configure settings for DeviceInfo.
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+
+## PhoneMobileOperatorDisplayName
+
+Enter a friendly name for the mobile operator. This string is displayed in the support section of the **Settings > About** screen and in the ringtone list.
+
+## PhoneMobileOperatorName
+
+This setting is used for targeting phone updates. It must contain a code specified by Microsoft that corresponds to the mobile operator. These codes are provided in [Registry values for mobile operator IDs](https://msdn.microsoft.com/library/windows/hardware/dn772250.aspx). For open market phones, in which the mobile operator is not known, use the codes in [Registry values for carrier-unlocked phones](https://msdn.microsoft.com/library/windows/hardware/dn772248.aspx) instead.
+
+This string is not visible to the user.
+
+This setting must not be changed over time even if the user switches SIMs or mobile operators, as updates are always targeted based on the first mobile operator associated with the phone.
+
+The [PhoneManufacturer](https://msdn.microsoft.com/library/windows/hardware/mt138328.aspx), [PhoneManufacturerModelName](https://msdn.microsoft.com/library/windows/hardware/mt138336.aspx), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
+
+
+
+## PhoneOEMSupportLink
+
+This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
+
+The default is an empty string (""), which means that a support link will not be displayed to the user.
+
+This setting varies by OEM.
+
+
+## PhoneSupportLink
+
+This should be a functional link that starts with http://. The link should be a URL that redirects to the mobile version of the web page. The content in the webpage should reflow to the screen width. This can be achieved by adding the CSS Tag `"@-ms-viewport { width: device-width; }"`.
+
+The default is an empty string (""), which means that a support link will not be displayed to the user.
+
+This setting varies by OEM.
+
+
+## PhoneSupportPhoneNumber
+
+Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.
+
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 297225f5a1..a37c32bee6 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -12,7 +12,7 @@ ms.date: 08/21/2017
# DeviceManagement (Windows Configuration Designer reference)
-Use to...
+Use to configure device management settings.
## Applies to
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
new file mode 100644
index 0000000000..cea5973633
--- /dev/null
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -0,0 +1,116 @@
+---
+title: HotSpot (Windows 10)
+description: This section describes the HotSpot settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# HotSpot (Windows Configuration Designer reference)
+
+Use HotSpot settings to configure Internet sharing.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | X | | | |
+
+>[!NOTE]
+>Although the HotSpot settings are available in advanced editing for multiple editions, the settings are only supported on devices running Windows 10 Mobile.
+
+## DedicatedConnections
+
+(Optional) Set DedicatedConnections to a semicolon-separated list of connections.
+
+Specifies the list of Connection Manager cellular connections that Internet sharing will use as public connections.
+
+By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections.
+
+Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
+
+The mapping policy will also include the connection specified in the TetheringNAIConnection value as well.
+
+ If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share.
+
+
+
+## Enabled
+
+Specify **True** to enable Internet sharing on the device or **False** to disable Internet sharing.
+
+If Enabled is initially set to **True**, the feature is turned off and the internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible.
+
+When Enabled is set to **False**, the internet sharing screen is added to Settings, although sharing is turned off by default until the user turns it on.
+
+
+## MaxBluetoothUsers
+
+(Optional) Specify the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. Set MaxBluetoothUsers to an integer value between 1 and 7 inclusive. The default value is 7.
+
+
+## MaxUsers
+
+(Optional) Specify the maximum number of simultaneous users that can be connected to a device while sharing. Set MaxUsers to an integer value between 1 and 8 inclusive. The default value is 5.
+
+
+## MOAppLink
+
+(Optional) Enter an application link that points to a pre-installed application, provided by the mobile operator. that will help a user to subscribe to the mobile operator's Internet sharing service when Internet sharing is not provisioned or entitlement fails.
+
+Set MOAppLink to a valid app ID. The general format for the link is *app://MOappGUID*. For example, if your app ID is `12345678-9012-3456-7890-123456789012`, you must set the value to `app://12345678-9012-3456-7890-123456789012`.
+
+
+## MOHelpMessage
+
+(Optional) Enter a reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form:
+
+```
+@,-
+```
+
+Where `` is the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx).
+
+## MOHelpNumber
+
+(Optional) Enter a mobile operator–specified phone number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help.
+
+
+
+## MOInfoLink
+
+(Optional) Enter a mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature.
+
+## PeerlessTimeout
+
+(Optional) Enter the time-out period, in minutes, after which Internet sharing should automatically turn off if there are no active clients.
+
+Set PeerlessTimeout to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes.
+
+## PublicConnectionTimeout
+
+(Optional) Enter the time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available.
+
+Set PublicConnectionTimeout to any value between 1 and 60 inclusive. The default value is 20 minutes. A value of 0 is not supported.
+
+
+## TetheringNAIConnection
+
+(Optional) Specify the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. Set TetheringNAIConnection to the CDMA TetheringNAI Connection Manager cellular connection.
+
+If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must configure a TetheringNAI connection and then specify the connection in this node.
+
+Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.The mapping policy will also include the connection specified in the TetheringNAIConnection value as well.
+
+If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share.
+
+>[!NOTE]
+>CDMA phones are limited to one active data connection at a time. This means any application or service (such as e-mail or MMS) that is bound to another connection may not work while Internet sharing is turned on.
+
+
+
+
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index 871e87042c..2f2ab14958 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -7,12 +7,18 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Messaging (Windows Configuration Designer reference)
-Use for settings related to Messaging.
+Use for settings related to Messaging and Commercial Mobile Alert System (CMAS).
+
+>[!IMPORTANT]
+>These settings are intended to be used only by manufacturers, mobile operators, and solution providers when configuring devices, and are not intended for use by administrators in the enterprise.
+
+>[!NOTE]
+>CMAS is now known as Wireless Emergency Alerts (WEA).
## Applies to
@@ -20,16 +26,70 @@ Use for settings related to Messaging.
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | | X | | | |
-## GlobalSettings > ShowSendingStatus
+## GlobalSettings
+
+### DisplayCmasLifo
+
+Use this setting to change the order in which CMAS alert messages are displayed, from the default first in/first out (FIFO) message order to last in/first out (LIFO) message order.
+
+If the phone receives at least one CMAS alert message which has not been acknowledged by the user, and another CMAS alert message arrives on the phone, partners can configure the order in which the newly received alert messages are displayed on the phone regardless of the service category of the alert. Users will not be able to change the message order once it has been set.
+
+If partners do not specify a value for this customization, the default FIFO display order is used. Users will be able to acknowledge the messages in the reverse order they were received.
+
+When configured as **True**, you set a LIFO message order. When configured as **False**, you set a FIFO message order.
+
+### EnableCustomLineSetupDialog
+
+Enable this setting to allow custom line setup dialogs in the Messaging app.
+
+### ShowSendingStatus
+
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
Set **ShowSendingStatus** to **True** to display the sending status for SMS/MMS messages.
-## PerSimSettings > _ICCID
+### VoicemailIntercept
-Use to configure settings for each subscriber identification module (SIM) card.
+Partners can define a filter that intercepts an incoming SMS message and triggers visual voicemail synchronization. The filtered message does not appear in the user’s conversation list.
+
+A visual voicemail sync is triggered by an incoming SMS message if the following conditions are met:
+
+- The message sender value starts with the string specified in the SyncSender setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
+
+- The body of the message starts with the string specified in the SyncPrefix setting. The length of the specified values must be greater than 3 characters but less than 75 characters.
+
+- Visual voicemail is configured and enabled. For more information, see [Visual voicemail](https://msdn.microsoft.com/library/windows/hardware/dn790032.aspx).
+
+>[!NOTE]
+>These settings are atomic, so both SyncSender and SyncPrefix must be set.
+>
+>The SyncSender and SyncPrefix values vary for each mobile operator, so you must work with your mobile operators to obtain the correct or required values.
+
+Setting | Description
+--- | ---
+SyncPrefix | Specify a value for SyncPrefix that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be the keyword for the SMS notification.
+SyncSender | Specify a value for SyncSender that is greater than 3 characters but less than 75 characters in length. For networks that support it, this value can be a short code of the mailbox server that sends a standard SMS notification.
+
+
+
+## PerSimSettings
+
+Use to configure settings for each subscriber identification module (SIM) card. Enter the Integrated Circuit Card Identifier (ICCID) for the SIM card, click **Add**, and then configure the folowing settings.
+
+### AllowMmsIfDataIsOff
+
+Setting | Description
+--- | ---
+AllowMmsIfDataIsOff | **True** allows MMS if data is off
+AllowMmsIfDataIsOffSupported | **True** shows the toggle for allowing MMS if data is turned off
+AllowMmsIfDataIsOffWhileRoaming | **True** allows MMS if data is off while roaming
### AllowSelectAllContacts
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
Set to **True** to show the select all contacts/unselect all menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks.
Windows 10 Mobile supports the following select multiple recipients features:
@@ -55,31 +115,106 @@ Specify whether MMS messages are automatically downloaded.
| AutomaticallyDownload | **True** sets the **Automatically download MMS** toggle to **On** |
| ShowAutomaticallyDownloadMMSToggle | **True** shows the **Automatically download MMS** toggle, and **False** hides the toggle |
+
### DefaultContentLocationUrl
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification.
Set **DefaultContentLocationUrl** to specify the default GET path within the MMSC.
### ErrorCodeEnabled
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem.
Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+### EmergencyAlertOptions
-### ImsiAuthenticationToken
+Configure settings for CMAS alerts.
+
+Setting | Description
+--- | ---
+CmasAMBERAlertEnabled | **True** enables the device to receive AMBER alerts
+CmasExtremeAlertEnabled | **True** enables the device to receive extreme alerts
+CmasSevereAlertEnabled | **True** enables the device to receive severe alerts
+EmOperatorEnabled | Select which Emergency Alerts Settings page is displayed from dropdown menu
+SevereAlertDependentOnExtremeAlert | When set as **True**, the CMAS-Extreme alert option must be on to modify CMAS-Severe alert option
+
+
+### General
+
+Setting | Description
+--- | ---
+AllowSelectAllContacts | Set to **True** to show the **select all contacts/unselect all** menu option to allow users to easily select multiple recipients for an SMS or MMS message. This menu option provides users with an easier way to add multiple recipients and may also meet a mandatory requirement for some mobile operator networks. Windows 10 Mobile supports the following select multiple recipients features:- A multi-select chooser, which enables users to choose multiple contacts.- A **select all contacts/unselect all** menu option, which enables users to select or unselect all their contacts. This option is not shown by default and must be enabled by the OEM.
+AllowSMStoSMTPAddress | Allow SMS to SMTP address.
+AssistedDialingMcc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Country Code (MCC) to use for sending SMS.
+AssistedDialingMnc | By setting AssistedDialingMcc and AssistedDialingMnc, international assisted dialing will be enabled for SMS if the user setting for international assisted dialing is enabled. Enter the Mobile Network Code (MNC) to use for sending SMS.
+AssistedDialingPlusCodeSupportOverride | For devices that support IMS over SMS, you can override support for the assisted dialing plus (+) code for SMS by setting AssistedDialingPlusCodeSupportOverride. If enabled, the OS will not convert the plus (+) code to the proper assisted number when the user turns on the dialing assist option.
+AutoRetryDownload | You can configure the messaging app to automatically retry downloading an MMS message if the initial download attempt fails. When this customization is enabled, the download is retried 3 times at 20-, 40-, and 60-second intervals.
+BroadcastChannels | You can specify one or more ports from which the device will accept cellular broadcast messages. Set the BroadcastChannels value to the port number(s) that can accept cellular broadcast messages. If you specify the same port that Windows 10 Mobile already recognizes as an Emergency Alert port (a CMAS or ETWS port number) and a cell broadcast message is received on that port, the user will only receive the message once. The message that is received will be displayed as an Emergency Alert message.
+ConvertLongSMStoMMS | For networks that do support MMS and do not support segmentation of SMS messages, you can specify an automatic switch from SMS to MMS for long messages.
+DefaultContentLocationUrl | For networks that require it, you can specify the default GET path within the MMSC to use when the GET URL is missing from the WAP push MMS notification. Set DefaultContentLocationUrl to specify the default GET path within the MMSC.
+ErrorCodeEnabled | You can choose to display additional content in the conversation view when an SMS or MMS message fails to send. This content includes a specific error code in decimal format that the user can report to technical support. Common errors also include a friendly string to help the user self-diagnose and fix the problem. Set to **True** to display the error message with an explanation of the problem and the decimal-format error codes. When set to **False**, the full error message is not displayed.
+HideMediumSIPopups | By default, when a service indication message is received with a signal-medium or signal-high setting, the phone interrupts and shows the user prompt for these messages. However, you can hide the user prompts for signal-medium messages.
+ImsiAuthenticationToken | Configure whether MMS messages include the IMSI in the GET and POST header. Set ImsiAuthenticationToken to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+LimitRecipients | Set the maximum number of recipients to which a single SMS or MMS message can be sent. Enter a number between 1 and 500 to limit the maximum number of recipients.
+MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5.
+RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB).
+SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used.
+ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages.
+SmscPanelDisabled | **True** disables the short message service center (SMSC) panel.
+SMStoSMTPShortCode | Use to configure SMS messages to be sent to email addresses and phone numbers. `0` disables sending SMS messages to SMTP addresses. `1` enables sending SMS messages to SMTP addresses.
+TargetVideoFormat | You can specify the transcoding to use for video files sent as attachments in MMS messages. Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:- 0 or 0x0 Sets the transcoding to H.264 + AAC + MP4. This is the default set by the OS.- 1 or 0x1 Sets the transcoding to H.264 + AAC + 3GP.- 2 or 0x2 Sets the transcoding to H.263 + AMR.NB + 3GP.- 3 or 0x3 Sets the transcoding to MPEG4 + AMR.NB + 3GP.
+UAProf | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC. There are two ways to correlate a user agent profile with a given phone:- You can take the user agent string of the phone that is sent with MMS requests and use it as a hash to map to the user agent profile on the MMSC. The user agent string cannot be modified.- Alternatively, you can directly set the URI of the user agent profile on the phone.Set UAProf to the full URI of your user agent profile file. Optionally, you can also specify the custom user agent property name for MMS that is sent in the header by setting UAProfToken to either `x-wap-profile` or `profile`.
+UAProfToken | You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
+UseDefaultAddress | By default, the MMS transport sends an acknowledgement to the provisioned MMS application server (MMSC). However, on some networks, the correct server to use is sent as a URL in the MMS message. In that case, a registry key must be set, or else the acknowledgement will not be received and the server will continue to send duplicate messages. **True** enables some networks to correctly acknowledge MMS messages. **False** disables the feature.
+UserAgentString | Set UserAgentString to the new user agent string for MMS in its entirely. By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
+UseUTF8ForUnspecifiedCharset | Some incoming MMS messages may not specify a character encoding. To properly decode MMS messages that do not specify a character encoding, you can set UTF-8 to decode the message.
+WapPushTechnology | For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values. `1` or `0x1` enables MMS messages to have some of their content truncated. `0` or `0x0` disables MMS messages from being truncated
+
+## ImsiAuthenticationToken
+
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
Configure whether MMS messages include the IMSI in the GET and POST header.
Set **ImsiAuthenticationToken** to the token used as the header for authentication. The string value should match the IMSI provided by the UICC.
+
+### LatAlertOptions
+
+Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
+
### MaxRetryCount
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent.
Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
+### MMSGroupText
+
+Set options for group messages sent to multiple people.
+
+Setting | Description
+--- | ---
+MMSGroupText | **True** enables group messages to multiple people sent as MMS.
+ShowMMSGroupTextUI | **True** shows the toggle for group text in messaging settings.
+ShowMmsGroupTextWarning | **True** shows the warning that alerts users of possible additional charges before sending a group text as MMS.
+
+### NIAlertOptions
+
+Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
### RcsOptions
@@ -103,8 +238,18 @@ Set options related to MMS message notifications. You can specify whether users
| RequestDeliveryReportIsSupported | **True** shows the toggle for MMS delivery confirmation, and **False** hides the toggle. |
+### SMSDeliveryNotify
+
+Setting | Description
+--- | ---
+DeliveryNotifySupported | Set to **True** to enable SMS delivery confirmation.
+SMSDeliveryNotify | Set to **True** to toggle SMS delivery confirmation.
+
### TargetVideoFormat
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify the transcoding to use for video files sent as attachments in MMS messages.
Set TargetVideoFormat to one of the following values to configure the default transcoding for video files sent as attachments in MMS messages:
@@ -119,6 +264,9 @@ Set TargetVideoFormat to one of the following values to configure the default tr
### UAProf
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
There are two ways to correlate a user agent profile with a given phone:
@@ -130,6 +278,9 @@ Set **UAProf** to the full URI of your user agent profile file. Optionally, you
### UAProfToken
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
You can specify a user agent profile to use on the phone for MMS messages. The user agent profile XML file details a phone’s hardware specifications and media capabilities so that an MMS application server (MMSC) can return supported optimized media content to the phone. The user agent profile XML file is generally stored on the MMSC.
Optionally, in addition to specifying **UAProf**, you can also specify the custom user agent property name for MMS that is sent in the header by setting **UAProfToken** to either `x-wap-profile` or `profile`.
@@ -137,6 +288,9 @@ Optionally, in addition to specifying **UAProf**, you can also specify the custo
### UserAgentString
+>[!NOTE]
+>This setting is removed in Windows 10, version 1709.
+
Set **UserAgentString** to the new user agent string for MMS in its entirely.
By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber WindowsPhoneOS/OSVersion-buildNumber OEM-deviceName, in which the italicized text is replaced with the appropriate values for the phone.
@@ -147,16 +301,17 @@ By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber
| Setting | Description |
| --- | --- |
| ADDR | Specify the absolute MMSC URL. The possible values to configure the ADDR parameter are:- A Uniform Resource Identifier (URI)- An IPv4 address represented in decimal format with dots as delimiters- A fully qualified Internet domain name |
-| APPID | Set to `w4` |
+| APPID | Set to `w4`. |
| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to . If **NAME** is greater than 40 characters, it will be truncated to 40 characters. |
| TONAPID | Specify the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/napdef-csp). |
| TOPROXY | Specify one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. |
-
-
### WapPushTechnology
+>[!NOTE]
+>These settings are removed in Windows 10, version 1709.
+
For networks that require non-standard handling of single-segment incoming MMS WAP Push notifications, you can specify that MMS messages may have some of their content truncated and that they may require special handling to reconstruct truncated field values.
| Value | Description |
@@ -167,5 +322,4 @@ For networks that require non-standard handling of single-segment incoming MMS W
## Related topics
-
-- [w4 APPLICATION CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/w4-application-csp)
\ No newline at end of file
+ - [Customizations for SMS and MMS](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms)
diff --git a/windows/configuration/wcd/wcd-modemconfigurations.md b/windows/configuration/wcd/wcd-modemconfigurations.md
index 98bae12f8b..eb663dfd65 100644
--- a/windows/configuration/wcd/wcd-modemconfigurations.md
+++ b/windows/configuration/wcd/wcd-modemconfigurations.md
@@ -7,12 +7,12 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# ModemConfiguration (Windows Configuration Designer reference)
-Documentation not available at this time.
+ModemConfiguration settings are removed in Windows 10, version 1709.
## Applies to
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index f672b70b05..5419cb3598 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Policies (Windows Configuration Designer reference)
@@ -76,9 +76,9 @@ This section describes the **Policies** settings that you can configure in [prov
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
-| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
-| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
-| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | | |
+| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | | X |
+| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | | X |
+| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | | X | |
## Browser
@@ -104,7 +104,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | |
| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
-| EnterpriseSiteListServiceUrl | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
+| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | |
| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | |
@@ -130,7 +130,7 @@ This section describes the **Policies** settings that you can configure in [prov
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | | |
+| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | |
| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | |
| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | |
| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | |
@@ -141,6 +141,12 @@ This section describes the **Policies** settings that you can configure in [prov
| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | |
| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | |
+## CredentialProviders
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+[DisableAutomaticReDeploymentCredentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X | | | | |
+
## Cryptography
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
@@ -200,6 +206,11 @@ This section describes the **Policies** settings that you can configure in [prov
| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+## DeviceGuard
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+[EnableVirtualizationBasedSecurity](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard) | Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. | X | | | | |
## DeviceLock
@@ -238,18 +249,24 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | | |
| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
-| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | | | | |
+| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | |
| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
-| [AllowWindowsConsumerFeatures](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
+| [AllowWindowsConsumerFeatures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
+## ExploitGuard
+
+| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | --- | :---: | :---: | :---: | :---: | :---: |
+| [ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) | See the [explanation of ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) in the Policy CSP for instructions. In the **ExploitProtectionSettings** field, you can enter a path (local, UNC, or URI) to the mitigation options config, or you can enter the XML for the config. | X | X | | | |
+
## Games
@@ -310,27 +327,29 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | | |
| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
+[PageVisiblityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | |
## Start
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| AllowPinnedFolderDocuments | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderDownloads | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderFileExplorer | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderHomeGroup | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderMusic | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderNetwork | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderPersonalFolder | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderPictures | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderSettings | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
-| AllowPinnedFolderVideos |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderDocuments](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | Control the visibility of the Documents shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderDownloads](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | Control the visibility of the Downloadds shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderFileExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | Control the visibility of the File Explorer shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderHomeGroup](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | Control the visibility of the Home Group shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderMusic](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | Control the visibility of the Music shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | Control the visibility of the Network shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderPersonalFolder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | Control the visibility of the Personal Folder shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | Control the visibility of the Pictures shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
+| [AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
+| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | |
| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
@@ -356,6 +375,7 @@ This section describes the **Policies** settings that you can configure in [prov
| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and useage telemetry data. | X | X | | | |
| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
+| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
## TextInput
@@ -390,25 +410,35 @@ This section describes the **Policies** settings that you can configure in [prov
| --- | --- | :---: | :---: | :---: | :---: | :---: |
| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | X | X |
-| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update rboots are not scheduled. | X | X | X | X | X |
+| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | X | X |
| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | X | X |
| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | X | X |
| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. | X | X | X | X | X |
-| AutoRestartDeadlinePeriodInDays | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X |
+| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | X | X |
| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | X | X |
| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | X | X |
| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | X | X |
| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | X | X |
+| [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X |
+| [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X |
| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
+| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | X | X |
| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | X | X |
| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | X | X |
| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | X | X |
| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | X | X |
+| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X |
| PhoneUpdateRestrictions | Deprecated | | X | | | |
| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
+| [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X |
+| [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X |
| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | X | X ||
| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | X | X |
diff --git a/windows/configuration/wcd/wcd-textinput.md b/windows/configuration/wcd/wcd-textinput.md
new file mode 100644
index 0000000000..f6f910591d
--- /dev/null
+++ b/windows/configuration/wcd/wcd-textinput.md
@@ -0,0 +1,206 @@
+---
+title: TextInput (Windows 10)
+description: This section describes the TextInput settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.date: 10/17/2017
+---
+
+# TextInput (Windows Configuration Designer reference)
+
+Use TextInput settings to configure text intelligence and keyboard for mobile devices.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| Intelligence > DisablePredictions | | X | | | |
+| PreEnabledKeyboard | | X | | | |
+
+## Intelligence
+
+Set **DisablePredictions** to the locale or alternative input language that must have the text intelligence features disabled. For example, to disable text correction and suggestions for English (UK), set the value of **DisablePredictions** to `en-gb`.
+
+## PreEnabledKeyboard
+
+In addition to the automatically-enabled default keyboard, OEMs may choose to pre-enable more keyboards for a particular market.
+
+During phone bring-up, OEMs must set the boot locale, or default locale, for the phone. During first boot, Windows Phone reads the locale setting and automatically enables a default keyboard based on the locale to keyboard mapping table in Set languages and locales.
+
+The mapping works for almost all regions and additional customizations are not needed unless specified in the pre-enabled keyboard column in Set languages and locales. If an OEM chooses to pre-enable more keyboards for a particular market, they can do so by specifying the setting. Pre-enabled keyboards will automatically be enabled during boot. Microsoft recommends that partners limit the number of pre-enabled keyboards to those languages that correspond to the languages spoken within the market.
+
+
+PreEnabledKeyboard must be entered once for each keyboard you want to pre-enable. As shown below, the format to specify a particular keyboard must be: Locale code.Locale value. See the following table for more information on the locale codes and values that you can use. The setting Value must be set to 1 to enable the keyboard.
+
+The following table shows the values that you can use for the Locale code.Locale value part of the setting name.
+
+>[!NOTE]
+>The keyboards for some locales require additional language model files: am-ET, bn-IN, gu-IN, hi-IN, ja-JP, kn-IN, ko-KR, ml-IN, mr-IN, my-MM, or-IN, pa-IN, si-LK, ta-IN, te-IN, zh-TW, zh-CN, and zh-HK.
+
+
+Name | Locale code | Keyboard layout value
+--- | --- | ---
+Afrikaans (South Africa) | af-ZA | 1
+Albanian | sq-AL | 1
+Amharic | am-ET | 1
+Arabic | ar-SA | 1
+Armenian | hy-AM | 1
+Assamese - INSCRIPT | as-IN | 1
+Azerbaijani (Cyrillic) | az-Cyrl-AZ | 1
+Azerbaijani (Latin) | az-Latn-AZ | 1
+Bangla (Bangladesh) - 49 key | bn-BD | 1
+Bangla (India) - INSCRIPT |bn-IN|1
+Bangla (India) - Phonetic|bn-IN|2
+Bashkir|ba-RU|1
+Basque|eu-ES|1
+Belarusian|be-BY|1
+Bosnian (Cyrillic)|bs-Cyrl-BA|1
+Bosnian (Latin)|bs-Latn-BA|1
+Bulgarian|bg-BG|1
+Catalan|ca-ES|1
+Central Kurdish|ku-Arab-IQ|1
+Cherokee|chr-Cher-US|1
+Chinese Simplified QWERTY|zh-CN|1
+Chinese Simplified - 12-key|zh-CN|2
+Chinese Simplified - Handwriting|zh-CN|3
+Chinese Simplified - Stroke|zh-CN|4
+Chinese Traditional (Hong Kong SAR) - Cangjie|zh-HK|1
+Chinese Traditional (Hong Kong SAR) - Quick|zh-HK|2
+Chinese Traditional (Hong Kong SAR) - Stroke|zh-HK|3
+Chinese Traditional (Taiwan) - BoPoMoFo|zh-TW|1
+Chinese Traditional (Taiwan) - Handwriting|zh-TW|2
+Croatian|hr-HR|1
+Czech|cs-CZ|1
+Danish|da-DK|1
+Divehi|dv-MV|1
+Dutch (Belgium)|nl-BE|1
+Dutch (Netherlands)|nl-NL|1
+Dzongkha|dz-BT|1
+English (Australia)|en-AU|1
+English (Canada)|en-CA|1
+English (India)|en-IN|1
+English (Ireland)|en-IE|1
+English (United Kingdom)|en-GB|1
+English (United States)|en-US|1
+Estonian|et-EE|1
+Faroese|fo-FO|1
+Filipino|fil-PH|1
+Finnish|fi-FI|1
+French (Belgium)|fr-BE|1
+French (Canada)|fr-CA|1
+French (France)|fr-FR|1
+French (Switzerland)|fr-CH|1
+Galician|gl-ES|1
+Georgian|ka-GE|1
+German (Germany)|de-DE|1
+German (Switzerland)|de-CH|1
+Greek|el-GR|1
+Greenlandic|kl-GL|1
+Guarani|gn-PY|1
+Gujarati - INSCRIPT|gu-IN|1
+Gujarati - Phonetic|gu-IN|2
+Hausa|ha-Latn-NG|1
+Hebrew|he-IL|1
+Hindi - 37-key|hi-IN|1
+Hindi - INSCRIPT|hi-IN|3
+Hindi - Phonetic|hi-IN|2
+Hinglish|hi-Latn|1
+Hungarian|hu-HU|1
+Icelandic|is-IS|1
+Igbo|ig-NG|1
+Indonesian|id-ID|1
+Inuktitut - Latin|iu-Latn-CA|1
+Irish|ga-IE|1
+Italian|it-IT|1
+Japanese - 12-key|ja-JP|1
+Japanese - QWERTY|ja-JP|2
+Kannada - INSCRIPT|kn-IN|1
+Kannada - Phonetic|kn-IN|2
+Kazakh|kk-KZ|1
+Khmer|km-KH|1
+Kinyarwanda|rw-RW|1
+Kiswahili|sw-KE|1
+Konkani|kok-IN|1
+Korean - 12-key Chunjiin|ko-KR|2
+Korean - 12-key Naratgeul|ko-KR|3
+Korean - 12-key Sky|ko-KR|4
+Korean - QWERTY|ko-KR|1
+Kyrgyz|ky-KG|1
+Lao|lo-LA|1
+Latvian|lv-LV|1
+Lithuanian|lt-LT|1
+Luxembourgish|lb-LU|1
+Macedonian|mk-MK|1
+Malay (Brunei Darussalam)|ms-BN|1
+Malay (Malaysia)|ms-MY|1
+Malayalam - INSCRIPT|ml-IN|1
+Malayalam - Phonetic|ml-IN|2
+Maltese|mt-MT|1
+Maori|mi-NZ|1
+Marathi - INSCRIPT|mr-IN|1
+Marathi - Phonetic|mr-IN|2
+Mongolian - Cyrillic|mn-MN|1
+Mongolian - Traditional Mongolian|mn-Mong-CN|1
+Myanmar|my-MM|1
+Nepali|ne-NP|1
+Norwegian - Bokmal|nb-NO|1
+Norwegian - Nynorsk|ny-NO|1
+Odia - INSCRIPT|or-IN|1
+Odia - Phonetic|or-IN|2
+Pashto|ps-AF|1
+Persian|fa-IR|1
+Polish|pl-PL|1
+Portuguese (Brazil)|pt-BR|1
+Portuguese (Portugal)|pt-PT|1
+Punjabi - INSCRIPT|pa-IN|1
+Punjabi - Phonetic|pa-IN|2
+Romanian|ro-RO|1
+Romansh|rm-CH|1
+Russian|ru-RU|1
+Sakha|sah-RU|1
+Sami, Northern (Norway)|se-NO|1
+Sami, Northern (Sweden)|se-NO|1
+Scottish Gaelic|gd-GB|1
+Serbian - Cyrillic|sr-Cyrl-RS|1
+Serbian - Latin|sr-Latn-RS|1
+Sesotho sa Leboa|nso-ZA|1
+Setswana|tn-ZA|1
+Sinhala|si-LK|1
+Slovak|sk-SK|1
+Slovenian|sl-SI|1
+Sorbian, Upper|hsb-DE|1
+Spanish (Mexico)|es-MX|1
+Spanish (Spain)|es-ES|1
+Swedish|sv-SE|1
+Syriac|syr-SY|1
+Tajik|tg-Cyrl-TJ|1
+Tamazight (Central Atlas) - Tifinagh|tzm-Tfng-MA|1
+Tamazight (Central Atlas) - Latin|tzm-Latn-DZ|1
+Tamil - INSCRIPT|ta-IN|1
+Tamil - Phonetic|ta-IN|2
+Tatar|tt-RU|1
+Telugu - INSCRIPT|te-IN|1
+Telugu - Phonetic|te-IN|2
+Thai|th-TH|1
+Tibetan|bo-CN|1
+Turkish|tr-TR|1
+Turkmen|tk-TM|1
+Ukrainian|uk-UA|1
+Urdu|ur-PK|1
+Uyghur|ug-CN|1
+Uzbek - Cyrillic|uz-Cyrl-UZ|1
+Uzbek - Latin|uz-Latn-UZ|1
+Valencian|ca-ES-valencia|1
+Vietnamese - QWERTY|vi-VN|1
+Vietnamese - TELEX|vi-VN|2
+Vietnamese - VNI|vi-VN|3
+Welsh|cy-GB|1
+Wolof|N/A|1
+Xhosa|xh-ZA|1
+Yoruba|yo-NG|1
+Zulu|zu-ZA|1
+
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 50f88c2fdc..e5fde4a704 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# UniversalAppInstall (reference)
@@ -24,6 +24,7 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor
| --- | :---: | :---: | :---: | :---: | :---: |
| [DeviceContextApp](#devicecontextapp) | X | | X | | |
| [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | |
+| [StoreInstall](#storeinstall) | X | X | X | X | X |
| [UserContextApp](#usercontextapp) | X | X | X | X | X |
| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X |
@@ -55,6 +56,19 @@ Use to specify the license file for the provisioned app.
2. Select the LicenseProductId in the Available Customizations pane, and then browse to and select the app license file.
+## StoreInstall
+
+Use to install an app from the Microsoft Store for Business.
+
+1. Enter a package family name, and then click **Add**.
+2. Configure the following required settings for the app package.
+
+Setting | Description
+--- | ---
+Flags | Description not available at this time.
+ProductID | Enter the product ID. [Learn how to find the product ID.](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
+SkuID | Enter the SKU ID. [Learn how to find the SKU ID.](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-education-powershell-module#view-items-in-products-and-services)
+
## UserContextApp
Use to add a new user context app.
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 70cd723052..3c2049687f 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# UniversalAppUninstall (reference)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 080f9e469f..c5ab2a15e7 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
-ms.date: 08/21/2017
+ms.date: 10/17/2017
---
# Windows Configuration Designer provisioning settings (reference)
@@ -20,11 +20,13 @@ This section describes the settings that you can configure in [provisioning pack
| --- | :---: | :---: | :---: | :---: | :---: |
| [Accounts](wcd-accounts.md) | X | X | X | X | X |
| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
-| [ApplicationManagement](wcd-applicationmanagement.md) | X | X | X | X | X |
-| [AssignedAccess](wcd-assignedaccess.md) | X | X | | X | |
+| [ApplicationManagement](wcd-applicationmanagement.md) | | | | | X |
+| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | |
| [AutomaticTime](wcd-automatictime.md) | | X | | | |
| [Browser](wcd-browser.md) | X | X | X | X | |
| [CallAndMessagingEnhancement](wcd-callandmessagingenhancement.md) | | X | | | |
+| [Calling](wcd-calling.md) | | X | | | |
+| [CellCore](wcd-cellcore.md) | X | X | | | |
| [Cellular](wcd-cellular.md) | X | | | | |
| [Certificates](wcd-certificates.md) | X | X | X | X | X |
| [CleanPC](wcd-cleanpc.md) | X | | | | |
@@ -34,6 +36,7 @@ This section describes the settings that you can configure in [provisioning pack
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
| [DeviceFormFactor](wcd-deviceformfactor.md) | X | X | X | X | |
+| [DeviceInfo](wcd-deviceinfo.md) | | X | | | |
| [DeviceManagement](wcd-devicemanagement.md) | X | X | X | X | |
| [DMClient](wcd-dmclient.md) | X | X | X | X | X |
| [EditionUpgrade](wcd-editionupgrade.md) | X | X | X | X | |
@@ -41,6 +44,7 @@ This section describes the settings that you can configure in [provisioning pack
| [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X |
| [FirstExperience](wcd-firstexperience.md) | | | | X | |
| [Folders](wcd-folders.md) |X | X | X | X | |
+| [HotSpot](wcd-hotspot.md) | X | X | X | X | X |
| [InitialSetup](wcd-initialsetup.md) | | X | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
| [Licensing](wcd-licensing.md) | X | | | | |
@@ -65,6 +69,7 @@ This section describes the settings that you can configure in [provisioning pack
| [SurfaceHubManagement](wcd-surfacehubmanagement.md) | | | X | | |
| [TabletMode](wcd-tabletmode.md) |X | X | X | X | |
| [TakeATest](wcd-takeatest.md) | X | | | | |
+| [TextInput](wcd-textinput.md) | | X | | | |
| [Theme](wcd-theme.md) | | X | | | |
| [UnifiedWriteFilter](wcd-unifiedwritefilter.md) | X | | | | |
| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X |
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index a3c44c5ab1..be1ce53781 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -22,7 +22,7 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
-1. Work with your reseller to place an order for $0 SKU. There are two SKUs available, depending on their current Windows Enterprise SA license:
+1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 37335d3504..92299edb2e 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -75,6 +75,7 @@ Telephone activation is primarily used in situations where a computer is isolate
**Note**
A specialized method, Token-based activation, is available for specific situations when approved customers rely on a public key infrastructure in a completely isolated, and usually high-security, environment. For more information, contact your Microsoft Account Team or your service representative.
+Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
### Multiple activation key
diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md
index 1549e2d687..1ed5c3cb85 100644
--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@@ -39,7 +39,7 @@ Windows AutoPilot allows you to:
### Prerequisites
* [Devices must be registered to the organization](#registering-devices-to-your-organization)
-* Devices have to be pre-installed with Windows 10, version 1703 or later
+* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
* Devices must have access to the internet
* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
* Microsoft Intune or other MDM services to manage your devices
diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 2ae59c5ff4..85d2429812 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -124,6 +124,7 @@
#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
@@ -135,6 +136,7 @@
### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
+#### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 5b30a1d8e3..4d97b468d3 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -34,7 +34,7 @@ ms.date: 08/25/2017
- Windows Defender Security Center app
-Block at First Sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds.
+Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds.
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 92cb4eab33..43bd302fff 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -82,19 +82,7 @@ Hiding notifications can be useful in situations where you cannot hide the entir
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
-**Use Group Policy to display additional, custom text in notifications:**
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
-
-6. Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**.
-
-7. Enter the additional text you want to be shown to users. Click **OK**.
+See the [Customize the Windows Defender Security Center app for your organization](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center-antivirus.md) topic for instructions to add cusomt contact information to the notifications that users see on their machines.
**Use Group Policy to hide notifications:**
diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
new file mode 100644
index 0000000000..afa7a3d27d
--- /dev/null
+++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
@@ -0,0 +1,7 @@
+
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
new file mode 100644
index 0000000000..4dd10553c4
--- /dev/null
+++ b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
@@ -0,0 +1,7 @@
+
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png
new file mode 100644
index 0000000000..b3bcfd6688
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps-on.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png
new file mode 100644
index 0000000000..8bfe45dd7b
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps-lps.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png
new file mode 100644
index 0000000000..b555bb6110
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-3ps.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png b/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png
new file mode 100644
index 0000000000..4351777c34
Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/vtp-wdav.png differ
diff --git a/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
new file mode 100644
index 0000000000..b36b55f7f1
--- /dev/null
+++ b/windows/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -0,0 +1,72 @@
+---
+title: Enable the limited periodic scanning feature in Windows Defender AV
+description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers
+keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 10/02/2017
+---
+
+
+
+# Use limited periodic scanning in Windows Defender AV
+
+
+
+**Applies to:**
+
+- Windows 10, version 1609
+
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+
+
+Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
+
+It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
+
+
+## How to enable limited periodic scanning
+
+By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly.
+
+If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device:
+
+
+
+
+If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
+
+
+
+Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
+
+
+
+
+Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
+
+
+
+
+
+
+
+## Related topics
+
+- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 1d49a1e634..b2d2890d2b 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -15,7 +15,7 @@ ms.date: 09/07/2017
---
-# Windows Defender Antivirus and third party protection products
+# Windows Defender Antivirus compatibility
**Applies to:**
@@ -30,13 +30,11 @@ ms.date: 09/07/2017
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
-However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself.
+However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.
-On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. See [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) topic for key differences and management options for Windows Server installations.
-
-The following matrix illustrates how Windows Defender AV operates when third-party antivirus products or Windows Defender ATP are also used.
+The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Windows Defender ATP are also used.
Windows version | Antimalware protection offered by | Organization enrolled in Windows Defender ATP | Windows Defender AV state
-|-|-|-
@@ -44,12 +42,19 @@ Windows 10 | A third-party product that is not offered or developed by Microsoft
Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode
Windows 10 | Windows Defender AV | Yes | Active mode
Windows 10 | Windows Defender AV | No | Active mode
-Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode
-Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode
+Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)]
+Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)]
Windows Server 2016 | Windows Defender AV | Yes | Active mode
Windows Server 2016 | Windows Defender AV | No | Active mode
+(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine.
+
+See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md#install-or-uninstall-windows-defender-av-on-windows-server-2016) topic for key differences and management options for Windows Server installations.
+
+
+
+
>[!IMPORTANT]
>Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
>
@@ -58,25 +63,28 @@ Windows Server 2016 | Windows Defender AV | No | Active mode
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/en-us/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+This table indicates the functionality and features that are available in each state:
+State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
+:-|:-|:-:|:-:|:-:|:-:|:-:
+Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-In the passive and automatic disabled modes, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
+Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
-The reasons for this are twofold:
-
-1. If you are enrolled in Windows Defender ATP, [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
-2. If the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, then Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint.
+Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
- Therefore, the Windows Defender AV service needs to update itself to ensure it has up-to-date protection coverage in case it needs to automatically enable itself.
+In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
- You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
- If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
+ If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
>[!WARNING]
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.
>
>This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
+>
+>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md).
## Related topics
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index 77b79508b8..63f99c38c4 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -61,7 +61,7 @@ By default, Windows Defender AV is installed and functional on Windows Server 20
If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option.
-
+
See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard.
@@ -87,6 +87,8 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI
You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard.
+This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/en-us/wdsi/help/antimalware-faq).
+
>[!NOTE]
>Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**.
@@ -144,8 +146,6 @@ By default, Windows Update does not download and install updates automatically o
To ensure that protection from malware is maintained, we recommend that you enable the following services:
-- Windows Defender Network Inspection service
-
- Windows Error Reporting service
- Windows Update service
@@ -155,9 +155,8 @@ The following table lists the services for Windows Defender and the dependent se
|Service Name|File Location|Description|
|--------|---------|--------|
|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
-|Windows Defender Network Inspection Service (Wdnissvc)|C:\Program Files\Windows Defender\NisSrv.exe|This service is invoked when Windows Defender Antivirus encounters a trigger to load it.|
|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
-|Windows Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Firewall service enabled.|
+|Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.|
|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get definition updates and antimalware engine updates|
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index 495cc05eec..7f2ef6dac4 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -38,7 +38,7 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
> [!WARNING]
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
@@ -121,7 +121,7 @@ This section describes how to perform some of the most common tasks when reviewi
>[!NOTE]
>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable limited periodic scanning.
+>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 15b33475fa..4fb205b6cc 100644
--- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -24,7 +24,7 @@ Your environment needs the following hardware to run Application Guard.
|--------|-----------|
|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
-|Hardware memory|8 GB minimum, 16 GB recommended|
+|Hardware memory|Microsoft recommends 8GB RAM for optimal performance|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 45139f43a5..9592c54ea3 100644
--- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -52,6 +52,8 @@ This feature is only available if you have an active Office 365 E5 or the Threat
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
+To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
+
## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
diff --git a/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a95a52eb1d
--- /dev/null
+++ b/windows/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,49 @@
+---
+title: Enable Security Analytics in Windows Defender ATP
+description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard.
+keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 09/05/2017
+---
+
+# Enable Security Analytics security controls
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
+
+ >[!NOTE]
+ >Changes might take up to a few hours to reflect on the dashboard.
+
+1. In the navigation pane, select **Preferences setup** > **Security Analytics**.
+
+ 
+
+2. Select the security control, then toggle the setting between **On** and **Off**.
+
+3. Click **Save preferences**.
+
+## Related topics
+- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
+- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
+- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
+- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png
new file mode 100644
index 0000000000..4005404aff
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-dashboard-security-analytics-full.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png
new file mode 100644
index 0000000000..9d8ae5a5cd
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-enable-security-analytics.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png
new file mode 100644
index 0000000000..0f5ef13a77
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-improv-opps.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png
index 65dc93e72c..729042ed30 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png and b/windows/threat-protection/windows-defender-atp/images/atp-org-sec-score.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png
new file mode 100644
index 0000000000..9cbf01f81a
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-security-score-over-time.png differ
diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
index fb13f00579..26057dc724 100644
--- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
---
title: View the Security Analytics dashboard in Windows Defender ATP
description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles.
-keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates
+keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverage, security control, improvement opportunities, edr, antivirus, av, os security updates
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
-ms.date: 09/05/2017
+ms.date: 10/02/2017
---
# View the Windows Defender Advanced Threat Protection Security analytics dashboard
@@ -33,37 +33,41 @@ The **Security analytics dashboard** displays a snapshot of:
- Organizational security score
- Security coverage
- Improvement opportunities
+- Security score over time
-
+
## Organizational security score
The organization security score is reflective of the average score of all the Windows Defender security controls that are configured according to the recommended baseline. You can improve this score by taking the steps in configuring each of the security controls in the optimal settings.
-
+
-Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
+Each Windows Defender security control from the **Security coverage** tile contributes 100 points to the organizational security score.
The denominator is reflective of the organizational score potential and calculated by multiplying the number of supported security controls (Security coverage pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
-In the example image, the total points from the **Improvement opportunities** tile add up to 279 points for the three pillars from the **Security coverage** tile.
+In the example image, the total points from the **Improvement opportunities** tile add up to 321 points for the six pillars from the **Security coverage** tile.
+
+You can set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard through the **Preferences settings**. For more information, see [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md).
## Security coverage
-The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar contributes 100 points to the overall organizational security score. It also represents the various Windows 10 security components with an indicator of the total number of machines that are well configured and those that require attention. Hovering on top of the individual bars will show exact numbers for each category.
+The security coverage tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention.
-
+
## Improvement opportunities
Improve your organizational security score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
Click on each control to see the recommended optimizations.
-
+
The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action. When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
-Recommendations that do not display a green action are informational only and no action is required.
+>[!IMPORTANT]
+>Recommendations that do not display a green triangle icon are informational only and no action is required.
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
@@ -71,9 +75,22 @@ The following image shows an example list of machines where the EDR sensor is no
-### Endpoint detection and response (EDR) optimization
-This tile provides a specific list of actions you can take on Windows Defender ATP to improve how endpoints provide sensor data to the Windows Defender ATP service.
+## Security score over time
+You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
+
+
+You can click on specific date points to see the total score for that security control is on a particular date.
+
+### Endpoint detection and response (EDR) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
+
+#### Minimum baseline configuration setting for EDR:
+- Windows Defender ATP sensor is on
+- Data collection is working correctly
+- Communication to Windows Defender ATP service is not impaired
+
+#### Minimum baseline configuration setting for EDR:
You can take the following actions to increase the overall security score of your organization:
- Turn on sensor
- Fix sensor data collection
@@ -81,9 +98,19 @@ You can take the following actions to increase the overall security score of you
For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
-### Windows Defender Antivirus optimization
-This tile provides a list of specific list of actions you can implement on endpoints with Windows Defender Antivirus to improve the security in your organization. Each action shows the exact number of endpoints where you can apply the action on.
+### Windows Defender Antivirus (Windows Defender AV) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
+#### Minimum baseline configuration setting for Windows Defender AV:
+Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met:
+
+- Windows Defender AV is reporting correctly
+- Windows Defender AV is turned on
+- Signature definitions are up to date
+- Real-time protection is on
+- Potentially Unwanted Application (PUA) protection is enabled
+
+##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
>[!NOTE]
@@ -93,7 +120,6 @@ You can take the following actions to increase the overall security score of you
- This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
- Turn on antivirus
- Update antivirus definitions
-- Turn on cloud-based protection
- Turn on real-time protection
- Turn on PUA protection
@@ -105,14 +131,115 @@ This tile shows you the exact number of machines that require the latest securit
You can take the following actions to increase the overall security score of your organization:
- Install the latest security updates
+- Fix sensor data collection
+ - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
-For more information on, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter).
+### Windows Defender Exploit Guard (Windows Defender EG) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
+
+#### Minimum baseline configuration setting for Windows Defender EG:
+Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met:
+
+- System level protection settings are configured correctly
+- Attack Surface Reduction rules are configured correctly
+- Controlled Folder Access setting is configured correctly
+
+##### System level protection:
+The following system level configuration settings must be set to **On or Force On**:
+
+1. Control Flow Guard
+2. Data Execution Prevention (DEP)
+3. Randomize memory allocations (Bottom-up ASLR)
+4. Validate exception chains (SEHOP)
+5. Validate heap integrity
+
+>[!NOTE]
+>The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
+>Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+
+##### Attack Surface Reduction (ASR) rules:
+The following ASR rules must be configured to **Block mode**:
+
+Rule description | GUIDs
+-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+
+>[!NOTE]
+>The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
+>Consider enabling this rule in **Audit** or **Block mode** for better protection.
+
+
+##### Controlled Folder Access
+The Controlled Folder Access setting must be configured to **Audit** or **Block mode**.
+
+>[!NOTE]
+> Audit mode, allows you to see audit events in the Windows Defender ATP Machine timeline however it does not block suspicious applications.
+>Consider enabling Controlled Folder Access for better protection.
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Turn on all system-level Exploit Protection settings
+- Set all ASR rules to enabled or audit mode
+- Turn on Controlled Folder Access
+- Turn on Windows Defender Antivirus on compatible machines
+
+For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
+
+### Windows Defender Application Guard (Windows Defender AG) optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
+
+#### Minimum baseline configuration setting for Windows Defender AG:
+Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met:
+
+- Hardware and software prerequisites are met
+- Windows Defender AG is turned on compatible machines
+- Managed mode is turned on
+
+##### Recommended actions:
+You can take the following actions to increase the overall security score of your organization:
+- Ensure hardware and software prerequisites are met
+
+ >[!NOTE]
+ >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
+
+- Turn on Windows Defender AG on compatible machines
+- Turn on managed mode
+
+
+For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+
+
+### Windows Defender SmartScreen optimization
+For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
+
+#### Minimum baseline configuration setting for Windows Defender SmartScreen:
+The following settings must be configured with the following settings:
+- Check apps and files: **Warn** or **Block**
+- SmartScreen for Microsoft Edge: **Warn** or **Block**
+- SmartScreen for Windows Store apps: **Warn** or **Off**
+
+
+You can take the following actions to increase the overall security score of your organization:
+- Set **Check app and files** to **Warn** or **Block**
+- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
+- Set **SmartScreen for Windows Store apps** to **Warn** or **Off**
+
+For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics
-- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+- [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+- [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index ca4ced3a04..320ea854bf 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -144,7 +144,7 @@ You can review the Windows event log to see events that are created when an Atta
2. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 9faffd8366..7f728d947a 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -75,7 +75,7 @@ You can review the Windows event log to see events that are created when Control
3. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 03c00df6f6..47df6f39f0 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -75,7 +75,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
4. Click **Add a protected folder** and follow the prompts to add apps.
- 
+ 
### Use Group Policy to protect additional folders
@@ -107,7 +107,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
-
+
>[!IMPORTANT]
@@ -144,7 +144,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
4. Click **Add an allowed app** and follow the prompts to add apps.
- 
+ 
### Use Group Policy to whitelist specific apps
@@ -178,7 +178,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
-
+
>[!IMPORTANT]
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index c837adc81b..1f4767560d 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -51,25 +51,25 @@ It also describes how to enable or configure the mitigations using Windows Defen
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
+You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
-
+
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
-Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
+Mitigation | Description | Can be applied to | Audit mode available
- | - | - | -
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
@@ -127,7 +127,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
- 
+ 
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
@@ -139,7 +139,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
Changing some settings may required a restart, which will be indicated in red text underneath the setting.
- 
+ 
4. Repeat this for all the system-level mitigations you want to configure.
@@ -154,7 +154,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
- 
+ 
3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
@@ -164,14 +164,14 @@ Exporting the configuration as an XML file allows you to copy the configuration
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
- 
+ 
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
- 
+ 
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 7158a21778..c42e32c42f 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -79,7 +79,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
- Disabled = 0
- Audit mode = 2
-
+
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 6935d74d73..69153eefb4 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -60,7 +60,7 @@ For further details on how audit mode works, and when you might want to use it,
3. Set the switch for the feature to **On**
- 
+ 
### Use Group Policy to enable Controlled folder access
@@ -77,7 +77,7 @@ For further details on how audit mode works, and when you might want to use it,
- **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
- 
+ 
>[!IMPORTANT]
>To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index 832df46955..bd2b01af18 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -57,7 +57,7 @@ This tool has a simple user interface that lets you choose a rule, configure it
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
-
+
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
@@ -99,7 +99,7 @@ Audit | The rule wil fire, but the suspicious behavior will **not** be blocked f
Block mode will cause a notification to appear on the user's desktop:
-
+
You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index c2483edae7..f8829b944e 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -73,11 +73,11 @@ You can enable Controlled folder access, run the tool, and see what the experien
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
- 
+ 
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
- 
+ 
## Review Controlled folder access events in Windows Event Viewer
diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index 1d47864477..af1f57f168 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -64,7 +64,7 @@ You can also carry out the processes described in this topic in audit or disable
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
-
+
## Review Network protection events in Windows Event Viewer
diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 97a86e7fa9..f3ad3cb57e 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -47,7 +47,7 @@ You can also manually navigate to the event area that corresponds to the Windows
### Import an existing XML custom view
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
- Controlled folder access events custom view: *cfa-events.xml*
- Exploit protection events custom view: *ep-events.xml*
- Attack surface reduction events custom view: *asr-events.xml*
@@ -57,7 +57,7 @@ You can also manually navigate to the event area that corresponds to the Windows
3. On the left panel, under **Actions**, click **Import Custom View...**
- 
+ 
4. Navigate to where you extracted XML file for the custom view you want and select it.
@@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the Windows
3. On the left panel, under **Actions**, click **Create Custom View...**
- 
+ 
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index f9095299df..8b5068a19b 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -76,7 +76,7 @@ You can review the Windows event log to see events that are created when Exploit
3. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
index a4da86a4bc..dec6e37038 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@@ -66,16 +66,15 @@ When you have configured Exploit protection to your desired state (including bot
### Use the Windows Defender Security Center app to export a configuration file
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
- 
+ 
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
-
- 
+
>[!NOTE]
>When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
@@ -151,13 +150,13 @@ You can use Group Policy to deploy the configuration you've created to multiple
5. Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**.
- 
+ 
6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
- C:\MitigationSettings\Config.XML
- - \\Server\Share\Config.xml
+ - \\\Server\Share\Config.xml
- https://localhost:8080/Config.xml
8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 57473681c2..3f78879c88 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -70,7 +70,7 @@ You can review the Windows event log to see events that are created when Network
2. On the left panel, under **Actions**, click **Import custom view...**
- 
+ 
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
diff --git a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 804c2d9152..d699cfe2ba 100644
--- a/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
-ms.date: 08/25/2017
+ms.date: 10/04/2017
---
@@ -125,11 +125,11 @@ See the following links for more information on the features in the Windows Defe
You can customize notifcations so they show information to users about how to get more help from your organization's help desk.
-
+
This information will also appear as a pop-out window on the Windows Defender Security Center app.
-
+
Users can click on the displayed information to get more help:
- Clicking **Call** or the phone number will open Skype to start a call to the displayed number